Refresh token not issued when grant type not configured

Closes gh-155
2020-11-28 12:50:12 +02:00 · 2020-11-28 12:50:12 +02:00 · 7c7e664bb7
commit 7c7e664bb7
parent 7fae37f0b5
5 changed files with 10 additions and 37 deletions
--- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeAuthenticationProvider.java
+++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeAuthenticationProvider.java
@ -18,6 +18,7 @@ package org.springframework.security.oauth2.server.authorization.authentication;
 import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.oauth2.core.AuthorizationGrantType;
 import org.springframework.security.oauth2.core.OAuth2AccessToken;
 import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
 import org.springframework.security.oauth2.core.OAuth2Error;
@ -126,7 +127,8 @@ public class OAuth2AuthorizationCodeAuthenticationProvider implements Authentica
 				.accessToken(accessToken);
 		OAuth2RefreshToken refreshToken = null;
-		if (registeredClient.getTokenSettings().enableRefreshTokens()) {
+		if (registeredClient.getAuthorizationGrantTypes()
 				.contains(AuthorizationGrantType.REFRESH_TOKEN)) {
 			refreshToken = OAuth2TokenIssuerUtil.issueRefreshToken(registeredClient.getTokenSettings().refreshTokenTimeToLive());
 			tokensBuilder.refreshToken(refreshToken);
 		}
@ -149,4 +151,5 @@ public class OAuth2AuthorizationCodeAuthenticationProvider implements Authentica
 	public boolean supports(Class<?> authentication) {
 		return OAuth2AuthorizationCodeAuthenticationToken.class.isAssignableFrom(authentication);
 	}
 }
--- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/TokenSettings.java
+++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/TokenSettings.java
@ -31,7 +31,6 @@ import java.util.Map;
 public class TokenSettings extends Settings {
 	private static final String TOKEN_SETTING_BASE = "setting.token.";
 	public static final String ACCESS_TOKEN_TIME_TO_LIVE = TOKEN_SETTING_BASE.concat("access-token-time-to-live");
 	public static final String ENABLE_REFRESH_TOKENS = TOKEN_SETTING_BASE.concat("enable-refresh-tokens");
 	public static final String REUSE_REFRESH_TOKENS = TOKEN_SETTING_BASE.concat("reuse-refresh-tokens");
 	public static final String REFRESH_TOKEN_TIME_TO_LIVE = TOKEN_SETTING_BASE.concat("refresh-token-time-to-live");
@ -73,26 +72,6 @@ public class TokenSettings extends Settings {
 		return this;
 	}
 	/**
 	 * Returns {@code true} if refresh tokens are enabled. The default is {@code true}.
 	 *
 	 * @return {@code true} if refresh tokens are enabled, {@code false} otherwise
 	 */
 	public boolean enableRefreshTokens() {
 		return setting(ENABLE_REFRESH_TOKENS);
 	}
 	/**
 	 * Set to {@code true} to enable refresh tokens.
 	 *
 	 * @param enableRefreshTokens {@code true} to enable refresh tokens, {@code false} otherwise
 	 * @return the {@link TokenSettings}
 	 */
 	public TokenSettings enableRefreshTokens(boolean enableRefreshTokens) {
 		setting(ENABLE_REFRESH_TOKENS, enableRefreshTokens);
 		return this;
 	}
 	/**
 	 * Returns {@code true} if refresh tokens are reused when returning the access token response,
 	 * or {@code false} if a new refresh token is issued. The default is {@code true}.
@ -138,7 +117,6 @@ public class TokenSettings extends Settings {
 	protected static Map<String, Object> defaultSettings() {
 		Map<String, Object> settings = new HashMap<>();
 		settings.put(ACCESS_TOKEN_TIME_TO_LIVE, Duration.ofMinutes(5));
 		settings.put(ENABLE_REFRESH_TOKENS, true);
 		settings.put(REUSE_REFRESH_TOKENS, true);
 		settings.put(REFRESH_TOKEN_TIME_TO_LIVE, Duration.ofMinutes(60));
 		return settings;
--- a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/client/TestRegisteredClients.java
+++ b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/client/TestRegisteredClients.java
@ -62,7 +62,6 @@ public class TestRegisteredClients {
 				.scope("openid")
 				.scope("profile")
 				.scope("email")
-				.clientSettings(clientSettings -> clientSettings.requireProofKey(true))
+				.clientSettings(clientSettings -> clientSettings.requireProofKey(true));
 				.tokenSettings(tokenSettings -> tokenSettings.enableRefreshTokens(false));
 	}
 }
--- a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/config/TokenSettingsTests.java
+++ b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/config/TokenSettingsTests.java
@ -32,9 +32,8 @@ public class TokenSettingsTests {
 	@Test
 	public void constructorWhenDefaultThenDefaultsAreSet() {
 		TokenSettings tokenSettings = new TokenSettings();
-		assertThat(tokenSettings.settings()).hasSize(4);
+		assertThat(tokenSettings.settings()).hasSize(3);
 		assertThat(tokenSettings.accessTokenTimeToLive()).isEqualTo(Duration.ofMinutes(5));
 		assertThat(tokenSettings.enableRefreshTokens()).isTrue();
 		assertThat(tokenSettings.reuseRefreshTokens()).isTrue();
 		assertThat(tokenSettings.refreshTokenTimeToLive()).isEqualTo(Duration.ofMinutes(60));
 	}
@ -71,12 +70,6 @@ public class TokenSettingsTests {
 				.isEqualTo("accessTokenTimeToLive must be greater than Duration.ZERO");
 	}
 	@Test
 	public void enableRefreshTokensWhenFalseThenSet() {
 		TokenSettings tokenSettings = new TokenSettings().enableRefreshTokens(false);
 		assertThat(tokenSettings.enableRefreshTokens()).isFalse();
 	}
 	@Test
 	public void reuseRefreshTokensWhenFalseThenSet() {
 		TokenSettings tokenSettings = new TokenSettings().reuseRefreshTokens(false);
@ -115,9 +108,8 @@ public class TokenSettingsTests {
 				.<TokenSettings>setting("name1", "value1")
 				.accessTokenTimeToLive(accessTokenTimeToLive)
 				.<TokenSettings>settings(settings -> settings.put("name2", "value2"));
-		assertThat(tokenSettings.settings()).hasSize(6);
+		assertThat(tokenSettings.settings()).hasSize(5);
 		assertThat(tokenSettings.accessTokenTimeToLive()).isEqualTo(accessTokenTimeToLive);
 		assertThat(tokenSettings.enableRefreshTokens()).isTrue();
 		assertThat(tokenSettings.reuseRefreshTokens()).isTrue();
 		assertThat(tokenSettings.refreshTokenTimeToLive()).isEqualTo(Duration.ofMinutes(60));
 		assertThat(tokenSettings.<String>setting("name1")).isEqualTo("value1");
--- a/samples/boot/oauth2-integration/authorizationserver/src/main/java/sample/config/AuthorizationServerConfig.java
+++ b/samples/boot/oauth2-integration/authorizationserver/src/main/java/sample/config/AuthorizationServerConfig.java
@ -41,13 +41,14 @@ public class AuthorizationServerConfig {
 	@Bean
 	public RegisteredClientRepository registeredClientRepository() {
 		RegisteredClient registeredClient = RegisteredClient.withId(UUID.randomUUID().toString())
-				.clientId("messaging-client")
+				.clientId("client")
 				.clientSecret("secret")
 				.clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
 				.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
 //				.authorizationGrantType(AuthorizationGrantType.REFRESH_TOKEN)
 				.authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS)
 				.redirectUri("http://localhost:8080/authorized")
-				.scope("message.read")
+				.scope("read")
 				.scope("message.write")
 				.clientSettings(clientSettings -> clientSettings.requireUserConsent(true))
 				.build();