From 7c7e664bb756aa2307457597504a6fff9f5b1c3f Mon Sep 17 00:00:00 2001 From: Laurentiu Spilca Date: Sat, 28 Nov 2020 12:50:12 +0200 Subject: [PATCH] Refresh token not issued when grant type not configured Closes gh-155 --- ...thorizationCodeAuthenticationProvider.java | 5 ++++- .../authorization/config/TokenSettings.java | 22 ------------------- .../client/TestRegisteredClients.java | 3 +-- .../config/TokenSettingsTests.java | 12 ++-------- .../config/AuthorizationServerConfig.java | 5 +++-- 5 files changed, 10 insertions(+), 37 deletions(-) diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeAuthenticationProvider.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeAuthenticationProvider.java index 9e4420c..a2da746 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeAuthenticationProvider.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeAuthenticationProvider.java @@ -18,6 +18,7 @@ package org.springframework.security.oauth2.server.authorization.authentication; import org.springframework.security.authentication.AuthenticationProvider; import org.springframework.security.core.Authentication; import org.springframework.security.core.AuthenticationException; +import org.springframework.security.oauth2.core.AuthorizationGrantType; import org.springframework.security.oauth2.core.OAuth2AccessToken; import org.springframework.security.oauth2.core.OAuth2AuthenticationException; import org.springframework.security.oauth2.core.OAuth2Error; @@ -126,7 +127,8 @@ public class OAuth2AuthorizationCodeAuthenticationProvider implements Authentica .accessToken(accessToken); OAuth2RefreshToken refreshToken = null; - if (registeredClient.getTokenSettings().enableRefreshTokens()) { + if (registeredClient.getAuthorizationGrantTypes() + .contains(AuthorizationGrantType.REFRESH_TOKEN)) { refreshToken = OAuth2TokenIssuerUtil.issueRefreshToken(registeredClient.getTokenSettings().refreshTokenTimeToLive()); tokensBuilder.refreshToken(refreshToken); } @@ -149,4 +151,5 @@ public class OAuth2AuthorizationCodeAuthenticationProvider implements Authentica public boolean supports(Class authentication) { return OAuth2AuthorizationCodeAuthenticationToken.class.isAssignableFrom(authentication); } + } diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/TokenSettings.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/TokenSettings.java index c6a4dd4..cab922e 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/TokenSettings.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/TokenSettings.java @@ -31,7 +31,6 @@ import java.util.Map; public class TokenSettings extends Settings { private static final String TOKEN_SETTING_BASE = "setting.token."; public static final String ACCESS_TOKEN_TIME_TO_LIVE = TOKEN_SETTING_BASE.concat("access-token-time-to-live"); - public static final String ENABLE_REFRESH_TOKENS = TOKEN_SETTING_BASE.concat("enable-refresh-tokens"); public static final String REUSE_REFRESH_TOKENS = TOKEN_SETTING_BASE.concat("reuse-refresh-tokens"); public static final String REFRESH_TOKEN_TIME_TO_LIVE = TOKEN_SETTING_BASE.concat("refresh-token-time-to-live"); @@ -73,26 +72,6 @@ public class TokenSettings extends Settings { return this; } - /** - * Returns {@code true} if refresh tokens are enabled. The default is {@code true}. - * - * @return {@code true} if refresh tokens are enabled, {@code false} otherwise - */ - public boolean enableRefreshTokens() { - return setting(ENABLE_REFRESH_TOKENS); - } - - /** - * Set to {@code true} to enable refresh tokens. - * - * @param enableRefreshTokens {@code true} to enable refresh tokens, {@code false} otherwise - * @return the {@link TokenSettings} - */ - public TokenSettings enableRefreshTokens(boolean enableRefreshTokens) { - setting(ENABLE_REFRESH_TOKENS, enableRefreshTokens); - return this; - } - /** * Returns {@code true} if refresh tokens are reused when returning the access token response, * or {@code false} if a new refresh token is issued. The default is {@code true}. @@ -138,7 +117,6 @@ public class TokenSettings extends Settings { protected static Map defaultSettings() { Map settings = new HashMap<>(); settings.put(ACCESS_TOKEN_TIME_TO_LIVE, Duration.ofMinutes(5)); - settings.put(ENABLE_REFRESH_TOKENS, true); settings.put(REUSE_REFRESH_TOKENS, true); settings.put(REFRESH_TOKEN_TIME_TO_LIVE, Duration.ofMinutes(60)); return settings; diff --git a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/client/TestRegisteredClients.java b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/client/TestRegisteredClients.java index 1e5b7ba..b63c1f7 100644 --- a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/client/TestRegisteredClients.java +++ b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/client/TestRegisteredClients.java @@ -62,7 +62,6 @@ public class TestRegisteredClients { .scope("openid") .scope("profile") .scope("email") - .clientSettings(clientSettings -> clientSettings.requireProofKey(true)) - .tokenSettings(tokenSettings -> tokenSettings.enableRefreshTokens(false)); + .clientSettings(clientSettings -> clientSettings.requireProofKey(true)); } } diff --git a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/config/TokenSettingsTests.java b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/config/TokenSettingsTests.java index b604ab7..3f6e233 100644 --- a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/config/TokenSettingsTests.java +++ b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/config/TokenSettingsTests.java @@ -32,9 +32,8 @@ public class TokenSettingsTests { @Test public void constructorWhenDefaultThenDefaultsAreSet() { TokenSettings tokenSettings = new TokenSettings(); - assertThat(tokenSettings.settings()).hasSize(4); + assertThat(tokenSettings.settings()).hasSize(3); assertThat(tokenSettings.accessTokenTimeToLive()).isEqualTo(Duration.ofMinutes(5)); - assertThat(tokenSettings.enableRefreshTokens()).isTrue(); assertThat(tokenSettings.reuseRefreshTokens()).isTrue(); assertThat(tokenSettings.refreshTokenTimeToLive()).isEqualTo(Duration.ofMinutes(60)); } @@ -71,12 +70,6 @@ public class TokenSettingsTests { .isEqualTo("accessTokenTimeToLive must be greater than Duration.ZERO"); } - @Test - public void enableRefreshTokensWhenFalseThenSet() { - TokenSettings tokenSettings = new TokenSettings().enableRefreshTokens(false); - assertThat(tokenSettings.enableRefreshTokens()).isFalse(); - } - @Test public void reuseRefreshTokensWhenFalseThenSet() { TokenSettings tokenSettings = new TokenSettings().reuseRefreshTokens(false); @@ -115,9 +108,8 @@ public class TokenSettingsTests { .setting("name1", "value1") .accessTokenTimeToLive(accessTokenTimeToLive) .settings(settings -> settings.put("name2", "value2")); - assertThat(tokenSettings.settings()).hasSize(6); + assertThat(tokenSettings.settings()).hasSize(5); assertThat(tokenSettings.accessTokenTimeToLive()).isEqualTo(accessTokenTimeToLive); - assertThat(tokenSettings.enableRefreshTokens()).isTrue(); assertThat(tokenSettings.reuseRefreshTokens()).isTrue(); assertThat(tokenSettings.refreshTokenTimeToLive()).isEqualTo(Duration.ofMinutes(60)); assertThat(tokenSettings.setting("name1")).isEqualTo("value1"); diff --git a/samples/boot/oauth2-integration/authorizationserver/src/main/java/sample/config/AuthorizationServerConfig.java b/samples/boot/oauth2-integration/authorizationserver/src/main/java/sample/config/AuthorizationServerConfig.java index cf60661..8eeb851 100644 --- a/samples/boot/oauth2-integration/authorizationserver/src/main/java/sample/config/AuthorizationServerConfig.java +++ b/samples/boot/oauth2-integration/authorizationserver/src/main/java/sample/config/AuthorizationServerConfig.java @@ -41,13 +41,14 @@ public class AuthorizationServerConfig { @Bean public RegisteredClientRepository registeredClientRepository() { RegisteredClient registeredClient = RegisteredClient.withId(UUID.randomUUID().toString()) - .clientId("messaging-client") + .clientId("client") .clientSecret("secret") .clientAuthenticationMethod(ClientAuthenticationMethod.BASIC) .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE) +// .authorizationGrantType(AuthorizationGrantType.REFRESH_TOKEN) .authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS) .redirectUri("http://localhost:8080/authorized") - .scope("message.read") + .scope("read") .scope("message.write") .clientSettings(clientSettings -> clientSettings.requireUserConsent(true)) .build();