OAuth2AccessToken.scopes includes authorized or requested scopes
Closes gh-224
This commit is contained in:
Joe Grandja
parent
09846eebeb
commit
6ffda38cb9
@ -166,7 +166,7 @@ public class OAuth2AuthorizationCodeAuthenticationProvider implements Authentica
|
|||||||
|
|
||||||
OAuth2AccessToken accessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER,
|
OAuth2AccessToken accessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER,
|
||||||
jwtAccessToken.getTokenValue(), jwtAccessToken.getIssuedAt(),
|
jwtAccessToken.getTokenValue(), jwtAccessToken.getIssuedAt(),
|
||||||
jwtAccessToken.getExpiresAt(), jwtAccessToken.getClaim(OAuth2ParameterNames.SCOPE));
|
jwtAccessToken.getExpiresAt(), authorizedScopes);
|
||||||
|
|
||||||
OAuth2RefreshToken refreshToken = null;
|
OAuth2RefreshToken refreshToken = null;
|
||||||
if (registeredClient.getAuthorizationGrantTypes().contains(AuthorizationGrantType.REFRESH_TOKEN)) {
|
if (registeredClient.getAuthorizationGrantTypes().contains(AuthorizationGrantType.REFRESH_TOKEN)) {
|
||||||
|
|||||||
@ -29,7 +29,6 @@ import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
|
|||||||
import org.springframework.security.oauth2.core.OAuth2Error;
|
import org.springframework.security.oauth2.core.OAuth2Error;
|
||||||
import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
|
import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
|
||||||
import org.springframework.security.oauth2.core.OAuth2TokenType;
|
import org.springframework.security.oauth2.core.OAuth2TokenType;
|
||||||
import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
|
|
||||||
import org.springframework.security.oauth2.jwt.JoseHeader;
|
import org.springframework.security.oauth2.jwt.JoseHeader;
|
||||||
import org.springframework.security.oauth2.jwt.Jwt;
|
import org.springframework.security.oauth2.jwt.Jwt;
|
||||||
import org.springframework.security.oauth2.jwt.JwtClaimsSet;
|
import org.springframework.security.oauth2.jwt.JwtClaimsSet;
|
||||||
@ -138,7 +137,7 @@ public class OAuth2ClientCredentialsAuthenticationProvider implements Authentica
|
|||||||
|
|
||||||
OAuth2AccessToken accessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER,
|
OAuth2AccessToken accessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER,
|
||||||
jwtAccessToken.getTokenValue(), jwtAccessToken.getIssuedAt(),
|
jwtAccessToken.getTokenValue(), jwtAccessToken.getIssuedAt(),
|
||||||
jwtAccessToken.getExpiresAt(), jwtAccessToken.getClaim(OAuth2ParameterNames.SCOPE));
|
jwtAccessToken.getExpiresAt(), scopes);
|
||||||
|
|
||||||
// @formatter:off
|
// @formatter:off
|
||||||
OAuth2Authorization authorization = OAuth2Authorization.withRegisteredClient(registeredClient)
|
OAuth2Authorization authorization = OAuth2Authorization.withRegisteredClient(registeredClient)
|
||||||
|
|||||||
@ -35,7 +35,6 @@ import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
|
|||||||
import org.springframework.security.oauth2.core.OAuth2RefreshToken;
|
import org.springframework.security.oauth2.core.OAuth2RefreshToken;
|
||||||
import org.springframework.security.oauth2.core.OAuth2RefreshToken2;
|
import org.springframework.security.oauth2.core.OAuth2RefreshToken2;
|
||||||
import org.springframework.security.oauth2.core.OAuth2TokenType;
|
import org.springframework.security.oauth2.core.OAuth2TokenType;
|
||||||
import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
|
|
||||||
import org.springframework.security.oauth2.jwt.JoseHeader;
|
import org.springframework.security.oauth2.jwt.JoseHeader;
|
||||||
import org.springframework.security.oauth2.jwt.Jwt;
|
import org.springframework.security.oauth2.jwt.Jwt;
|
||||||
import org.springframework.security.oauth2.jwt.JwtClaimsSet;
|
import org.springframework.security.oauth2.jwt.JwtClaimsSet;
|
||||||
@ -170,7 +169,7 @@ public class OAuth2RefreshTokenAuthenticationProvider implements AuthenticationP
|
|||||||
|
|
||||||
OAuth2AccessToken accessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER,
|
OAuth2AccessToken accessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER,
|
||||||
jwtAccessToken.getTokenValue(), jwtAccessToken.getIssuedAt(),
|
jwtAccessToken.getTokenValue(), jwtAccessToken.getIssuedAt(),
|
||||||
jwtAccessToken.getExpiresAt(), jwtAccessToken.getClaim(OAuth2ParameterNames.SCOPE));
|
jwtAccessToken.getExpiresAt(), scopes);
|
||||||
|
|
||||||
TokenSettings tokenSettings = registeredClient.getTokenSettings();
|
TokenSettings tokenSettings = registeredClient.getTokenSettings();
|
||||||
|
|
||||||
|
|||||||
@ -264,6 +264,8 @@ public class OAuth2AuthorizationCodeAuthenticationProviderTests {
|
|||||||
assertThat(accessTokenAuthentication.getRegisteredClient().getId()).isEqualTo(updatedAuthorization.getRegisteredClientId());
|
assertThat(accessTokenAuthentication.getRegisteredClient().getId()).isEqualTo(updatedAuthorization.getRegisteredClientId());
|
||||||
assertThat(accessTokenAuthentication.getPrincipal()).isEqualTo(clientPrincipal);
|
assertThat(accessTokenAuthentication.getPrincipal()).isEqualTo(clientPrincipal);
|
||||||
assertThat(accessTokenAuthentication.getAccessToken()).isEqualTo(updatedAuthorization.getAccessToken().getToken());
|
assertThat(accessTokenAuthentication.getAccessToken()).isEqualTo(updatedAuthorization.getAccessToken().getToken());
|
||||||
|
assertThat(accessTokenAuthentication.getAccessToken().getScopes())
|
||||||
|
.isEqualTo(authorization.getAttribute(OAuth2Authorization.AUTHORIZED_SCOPE_ATTRIBUTE_NAME));
|
||||||
assertThat(accessTokenAuthentication.getRefreshToken()).isNotNull();
|
assertThat(accessTokenAuthentication.getRefreshToken()).isNotNull();
|
||||||
assertThat(accessTokenAuthentication.getRefreshToken()).isEqualTo(updatedAuthorization.getRefreshToken().getToken());
|
assertThat(accessTokenAuthentication.getRefreshToken()).isEqualTo(updatedAuthorization.getRefreshToken().getToken());
|
||||||
OAuth2Authorization.Token<OAuth2AuthorizationCode> authorizationCode = updatedAuthorization.getToken(OAuth2AuthorizationCode.class);
|
OAuth2Authorization.Token<OAuth2AuthorizationCode> authorizationCode = updatedAuthorization.getToken(OAuth2AuthorizationCode.class);
|
||||||
@ -320,6 +322,8 @@ public class OAuth2AuthorizationCodeAuthenticationProviderTests {
|
|||||||
assertThat(accessTokenAuthentication.getRegisteredClient().getId()).isEqualTo(updatedAuthorization.getRegisteredClientId());
|
assertThat(accessTokenAuthentication.getRegisteredClient().getId()).isEqualTo(updatedAuthorization.getRegisteredClientId());
|
||||||
assertThat(accessTokenAuthentication.getPrincipal()).isEqualTo(clientPrincipal);
|
assertThat(accessTokenAuthentication.getPrincipal()).isEqualTo(clientPrincipal);
|
||||||
assertThat(accessTokenAuthentication.getAccessToken()).isEqualTo(updatedAuthorization.getAccessToken().getToken());
|
assertThat(accessTokenAuthentication.getAccessToken()).isEqualTo(updatedAuthorization.getAccessToken().getToken());
|
||||||
|
assertThat(accessTokenAuthentication.getAccessToken().getScopes())
|
||||||
|
.isEqualTo(authorization.getAttribute(OAuth2Authorization.AUTHORIZED_SCOPE_ATTRIBUTE_NAME));
|
||||||
assertThat(accessTokenAuthentication.getRefreshToken()).isNotNull();
|
assertThat(accessTokenAuthentication.getRefreshToken()).isNotNull();
|
||||||
assertThat(accessTokenAuthentication.getRefreshToken()).isEqualTo(updatedAuthorization.getRefreshToken().getToken());
|
assertThat(accessTokenAuthentication.getRefreshToken()).isEqualTo(updatedAuthorization.getRefreshToken().getToken());
|
||||||
OAuth2Authorization.Token<OAuth2AuthorizationCode> authorizationCode = updatedAuthorization.getToken(OAuth2AuthorizationCode.class);
|
OAuth2Authorization.Token<OAuth2AuthorizationCode> authorizationCode = updatedAuthorization.getToken(OAuth2AuthorizationCode.class);
|
||||||
|
|||||||
@ -30,6 +30,7 @@ import org.springframework.security.oauth2.core.AuthorizationGrantType;
|
|||||||
import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
|
import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
|
||||||
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
|
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
|
||||||
import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
|
import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
|
||||||
|
import org.springframework.security.oauth2.core.OAuth2TokenType;
|
||||||
import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
|
import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
|
||||||
import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm;
|
import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm;
|
||||||
import org.springframework.security.oauth2.jwt.JoseHeaderNames;
|
import org.springframework.security.oauth2.jwt.JoseHeaderNames;
|
||||||
@ -37,7 +38,6 @@ import org.springframework.security.oauth2.jwt.Jwt;
|
|||||||
import org.springframework.security.oauth2.jwt.JwtEncoder;
|
import org.springframework.security.oauth2.jwt.JwtEncoder;
|
||||||
import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
|
import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
|
||||||
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
|
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
|
||||||
import org.springframework.security.oauth2.core.OAuth2TokenType;
|
|
||||||
import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
|
import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
|
||||||
import org.springframework.security.oauth2.server.authorization.client.TestRegisteredClients;
|
import org.springframework.security.oauth2.server.authorization.client.TestRegisteredClients;
|
||||||
import org.springframework.security.oauth2.server.authorization.token.JwtEncodingContext;
|
import org.springframework.security.oauth2.server.authorization.token.JwtEncodingContext;
|
||||||
@ -168,7 +168,8 @@ public class OAuth2ClientCredentialsAuthenticationProviderTests {
|
|||||||
OAuth2ClientCredentialsAuthenticationToken authentication =
|
OAuth2ClientCredentialsAuthenticationToken authentication =
|
||||||
new OAuth2ClientCredentialsAuthenticationToken(clientPrincipal, requestedScope);
|
new OAuth2ClientCredentialsAuthenticationToken(clientPrincipal, requestedScope);
|
||||||
|
|
||||||
when(this.jwtEncoder.encode(any(), any())).thenReturn(createJwt(requestedScope));
|
when(this.jwtEncoder.encode(any(), any()))
|
||||||
|
.thenReturn(createJwt(Collections.singleton("mapped-scoped")));
|
||||||
|
|
||||||
OAuth2AccessTokenAuthenticationToken accessTokenAuthentication =
|
OAuth2AccessTokenAuthenticationToken accessTokenAuthentication =
|
||||||
(OAuth2AccessTokenAuthenticationToken) this.authenticationProvider.authenticate(authentication);
|
(OAuth2AccessTokenAuthenticationToken) this.authenticationProvider.authenticate(authentication);
|
||||||
|
|||||||
@ -34,6 +34,7 @@ import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
|
|||||||
import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
|
import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
|
||||||
import org.springframework.security.oauth2.core.OAuth2RefreshToken;
|
import org.springframework.security.oauth2.core.OAuth2RefreshToken;
|
||||||
import org.springframework.security.oauth2.core.OAuth2RefreshToken2;
|
import org.springframework.security.oauth2.core.OAuth2RefreshToken2;
|
||||||
|
import org.springframework.security.oauth2.core.OAuth2TokenType;
|
||||||
import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
|
import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
|
||||||
import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm;
|
import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm;
|
||||||
import org.springframework.security.oauth2.jwt.JoseHeaderNames;
|
import org.springframework.security.oauth2.jwt.JoseHeaderNames;
|
||||||
@ -42,7 +43,6 @@ import org.springframework.security.oauth2.jwt.JwtEncoder;
|
|||||||
import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
|
import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
|
||||||
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
|
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
|
||||||
import org.springframework.security.oauth2.server.authorization.TestOAuth2Authorizations;
|
import org.springframework.security.oauth2.server.authorization.TestOAuth2Authorizations;
|
||||||
import org.springframework.security.oauth2.core.OAuth2TokenType;
|
|
||||||
import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
|
import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
|
||||||
import org.springframework.security.oauth2.server.authorization.client.TestRegisteredClients;
|
import org.springframework.security.oauth2.server.authorization.client.TestRegisteredClients;
|
||||||
import org.springframework.security.oauth2.server.authorization.token.JwtEncodingContext;
|
import org.springframework.security.oauth2.server.authorization.token.JwtEncodingContext;
|
||||||
@ -182,7 +182,10 @@ public class OAuth2RefreshTokenAuthenticationProviderTests {
|
|||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void authenticateWhenRequestedScopesAuthorizedThenAccessTokenIncludesScopes() {
|
public void authenticateWhenRequestedScopesAuthorizedThenAccessTokenIncludesScopes() {
|
||||||
RegisteredClient registeredClient = TestRegisteredClients.registeredClient().build();
|
RegisteredClient registeredClient = TestRegisteredClients.registeredClient()
|
||||||
|
.scope("scope2")
|
||||||
|
.scope("scope3")
|
||||||
|
.build();
|
||||||
OAuth2Authorization authorization = TestOAuth2Authorizations.authorization(registeredClient).build();
|
OAuth2Authorization authorization = TestOAuth2Authorizations.authorization(registeredClient).build();
|
||||||
when(this.authorizationService.findByToken(
|
when(this.authorizationService.findByToken(
|
||||||
eq(authorization.getRefreshToken().getToken().getTokenValue()),
|
eq(authorization.getRefreshToken().getToken().getTokenValue()),
|
||||||
@ -192,7 +195,7 @@ public class OAuth2RefreshTokenAuthenticationProviderTests {
|
|||||||
OAuth2ClientAuthenticationToken clientPrincipal = new OAuth2ClientAuthenticationToken(registeredClient);
|
OAuth2ClientAuthenticationToken clientPrincipal = new OAuth2ClientAuthenticationToken(registeredClient);
|
||||||
Set<String> authorizedScopes = authorization.getAttribute(OAuth2Authorization.AUTHORIZED_SCOPE_ATTRIBUTE_NAME);
|
Set<String> authorizedScopes = authorization.getAttribute(OAuth2Authorization.AUTHORIZED_SCOPE_ATTRIBUTE_NAME);
|
||||||
Set<String> requestedScopes = new HashSet<>(authorizedScopes);
|
Set<String> requestedScopes = new HashSet<>(authorizedScopes);
|
||||||
requestedScopes.remove("email");
|
requestedScopes.remove("scope1");
|
||||||
OAuth2RefreshTokenAuthenticationToken authentication = new OAuth2RefreshTokenAuthenticationToken(
|
OAuth2RefreshTokenAuthenticationToken authentication = new OAuth2RefreshTokenAuthenticationToken(
|
||||||
authorization.getRefreshToken().getToken().getTokenValue(), clientPrincipal, requestedScopes);
|
authorization.getRefreshToken().getToken().getTokenValue(), clientPrincipal, requestedScopes);
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user