Scope "openid" should be in access token response scope

- Still does not require user consent

Closes gh-252
This commit is contained in:
Joshua Casey 2021-03-03 17:00:35 -06:00 committed by Joe Grandja
parent 1962b9c5b7
commit 3b0938883b
2 changed files with 4 additions and 14 deletions

View File

@ -18,7 +18,6 @@ package org.springframework.security.oauth2.server.authorization.authentication;
import java.security.Principal; import java.security.Principal;
import java.util.Collections; import java.util.Collections;
import java.util.HashMap; import java.util.HashMap;
import java.util.HashSet;
import java.util.Map; import java.util.Map;
import java.util.Set; import java.util.Set;
@ -147,7 +146,7 @@ public class OAuth2AuthorizationCodeAuthenticationProvider implements Authentica
JoseHeader.Builder headersBuilder = JwtUtils.headers(); JoseHeader.Builder headersBuilder = JwtUtils.headers();
JwtClaimsSet.Builder claimsBuilder = JwtUtils.accessTokenClaims( JwtClaimsSet.Builder claimsBuilder = JwtUtils.accessTokenClaims(
registeredClient, issuer, authorization.getPrincipalName(), registeredClient, issuer, authorization.getPrincipalName(),
excludeOpenidIfNecessary(authorizedScopes)); authorizedScopes);
// @formatter:off // @formatter:off
JwtEncodingContext context = JwtEncodingContext.with(headersBuilder, claimsBuilder) JwtEncodingContext context = JwtEncodingContext.with(headersBuilder, claimsBuilder)
@ -169,7 +168,7 @@ public class OAuth2AuthorizationCodeAuthenticationProvider implements Authentica
OAuth2AccessToken accessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER, OAuth2AccessToken accessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER,
jwtAccessToken.getTokenValue(), jwtAccessToken.getIssuedAt(), jwtAccessToken.getTokenValue(), jwtAccessToken.getIssuedAt(),
jwtAccessToken.getExpiresAt(), excludeOpenidIfNecessary(authorizedScopes)); jwtAccessToken.getExpiresAt(), authorizedScopes);
OAuth2RefreshToken refreshToken = null; OAuth2RefreshToken refreshToken = null;
if (registeredClient.getAuthorizationGrantTypes().contains(AuthorizationGrantType.REFRESH_TOKEN)) { if (registeredClient.getAuthorizationGrantTypes().contains(AuthorizationGrantType.REFRESH_TOKEN)) {
@ -245,15 +244,6 @@ public class OAuth2AuthorizationCodeAuthenticationProvider implements Authentica
registeredClient, clientPrincipal, accessToken, refreshToken, additionalParameters); registeredClient, clientPrincipal, accessToken, refreshToken, additionalParameters);
} }
private static Set<String> excludeOpenidIfNecessary(Set<String> scopes) {
if (!scopes.contains(OidcScopes.OPENID)) {
return scopes;
}
scopes = new HashSet<>(scopes);
scopes.remove(OidcScopes.OPENID);
return scopes;
}
@Override @Override
public boolean supports(Class<?> authentication) { public boolean supports(Class<?> authentication) {
return OAuth2AuthorizationCodeAuthenticationToken.class.isAssignableFrom(authentication); return OAuth2AuthorizationCodeAuthenticationToken.class.isAssignableFrom(authentication);

View File

@ -311,7 +311,8 @@ public class OAuth2AuthorizationCodeAuthenticationProviderTests {
assertThat(accessTokenContext.getClaims()).isNotNull(); assertThat(accessTokenContext.getClaims()).isNotNull();
Map<String, Object> claims = new HashMap<>(); Map<String, Object> claims = new HashMap<>();
accessTokenContext.getClaims().claims(claims::putAll); accessTokenContext.getClaims().claims(claims::putAll);
assertThat(claims.containsKey(OidcScopes.OPENID)).isFalse(); assertThat(claims).flatExtracting(OAuth2ParameterNames.SCOPE)
.containsExactlyInAnyOrder(OidcScopes.OPENID, "scope1");
// ID Token context // ID Token context
JwtEncodingContext idTokenContext = jwtEncodingContextCaptor.getAllValues().get(1); JwtEncodingContext idTokenContext = jwtEncodingContextCaptor.getAllValues().get(1);
assertThat(idTokenContext.getRegisteredClient()).isEqualTo(registeredClient); assertThat(idTokenContext.getRegisteredClient()).isEqualTo(registeredClient);
@ -335,7 +336,6 @@ public class OAuth2AuthorizationCodeAuthenticationProviderTests {
assertThat(accessTokenAuthentication.getPrincipal()).isEqualTo(clientPrincipal); assertThat(accessTokenAuthentication.getPrincipal()).isEqualTo(clientPrincipal);
assertThat(accessTokenAuthentication.getAccessToken()).isEqualTo(updatedAuthorization.getAccessToken().getToken()); assertThat(accessTokenAuthentication.getAccessToken()).isEqualTo(updatedAuthorization.getAccessToken().getToken());
Set<String> accessTokenScopes = new HashSet<>(updatedAuthorization.getAttribute(OAuth2Authorization.AUTHORIZED_SCOPE_ATTRIBUTE_NAME)); Set<String> accessTokenScopes = new HashSet<>(updatedAuthorization.getAttribute(OAuth2Authorization.AUTHORIZED_SCOPE_ATTRIBUTE_NAME));
accessTokenScopes.remove(OidcScopes.OPENID);
assertThat(accessTokenAuthentication.getAccessToken().getScopes()).isEqualTo(accessTokenScopes); assertThat(accessTokenAuthentication.getAccessToken().getScopes()).isEqualTo(accessTokenScopes);
assertThat(accessTokenAuthentication.getRefreshToken()).isNotNull(); assertThat(accessTokenAuthentication.getRefreshToken()).isNotNull();
assertThat(accessTokenAuthentication.getRefreshToken()).isEqualTo(updatedAuthorization.getRefreshToken().getToken()); assertThat(accessTokenAuthentication.getRefreshToken()).isEqualTo(updatedAuthorization.getRefreshToken().getToken());