From 8dbdd6640ce107483395283a6e80b5f7789c1d7f Mon Sep 17 00:00:00 2001 From: kratostaine Date: Thu, 7 May 2020 21:54:58 +0530 Subject: [PATCH] Add token endpoint implementation Fixes gh-67 --- .../authorization/OAuth2Authorization.java | 10 + .../OAuth2AccessTokenAuthenticationToken.java | 10 + ...2AuthorizationCodeAuthenticationToken.java | 10 + .../web/OAuth2TokenEndpointFilter.java | 149 +++++++++++- .../web/OAuth2TokenEndpointFilterTests.java | 230 ++++++++++++++++++ 5 files changed, 408 insertions(+), 1 deletion(-) create mode 100644 core/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2TokenEndpointFilterTests.java diff --git a/core/src/main/java/org/springframework/security/oauth2/server/authorization/OAuth2Authorization.java b/core/src/main/java/org/springframework/security/oauth2/server/authorization/OAuth2Authorization.java index f3dad82..c298052 100644 --- a/core/src/main/java/org/springframework/security/oauth2/server/authorization/OAuth2Authorization.java +++ b/core/src/main/java/org/springframework/security/oauth2/server/authorization/OAuth2Authorization.java @@ -33,6 +33,7 @@ import java.util.function.Consumer; * * @author Joe Grandja * @author Krisztian Toth + * @author Madhu Bhat * @since 0.0.1 * @see RegisteredClient * @see OAuth2AccessToken @@ -74,6 +75,15 @@ public class OAuth2Authorization implements Serializable { return this.accessToken; } + /** + * Sets the access token {@link OAuth2AccessToken} in the {@link OAuth2Authorization}. + * + * @param accessToken the access token + */ + public final void setAccessToken(OAuth2AccessToken accessToken) { + this.accessToken = accessToken; + } + /** * Returns the attribute(s) associated to the authorization. * diff --git a/core/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AccessTokenAuthenticationToken.java b/core/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AccessTokenAuthenticationToken.java index 0c19b6b..dbf28ce 100644 --- a/core/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AccessTokenAuthenticationToken.java +++ b/core/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AccessTokenAuthenticationToken.java @@ -25,6 +25,7 @@ import java.util.Collections; /** * @author Joe Grandja + * @author Madhu Bhat */ public class OAuth2AccessTokenAuthenticationToken extends AbstractAuthenticationToken { private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID; @@ -49,4 +50,13 @@ public class OAuth2AccessTokenAuthenticationToken extends AbstractAuthentication public Object getPrincipal() { return null; } + + /** + * Returns the access token {@link OAuth2AccessToken}. + * + * @return the access token + */ + public OAuth2AccessToken getAccessToken() { + return this.accessToken; + } } diff --git a/core/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeAuthenticationToken.java b/core/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeAuthenticationToken.java index d6a1779..aaa567b 100644 --- a/core/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeAuthenticationToken.java +++ b/core/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeAuthenticationToken.java @@ -24,6 +24,7 @@ import java.util.Collections; /** * @author Joe Grandja + * @author Madhu Bhat */ public class OAuth2AuthorizationCodeAuthenticationToken extends AbstractAuthenticationToken { private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID; @@ -57,4 +58,13 @@ public class OAuth2AuthorizationCodeAuthenticationToken extends AbstractAuthenti public Object getPrincipal() { return null; } + + /** + * Returns the code. + * + * @return the code + */ + public String getCode() { + return this.code; + } } diff --git a/core/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2TokenEndpointFilter.java b/core/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2TokenEndpointFilter.java index 7b2765a..8bf8f28 100644 --- a/core/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2TokenEndpointFilter.java +++ b/core/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2TokenEndpointFilter.java @@ -15,10 +15,31 @@ */ package org.springframework.security.oauth2.server.authorization.web; +import com.fasterxml.jackson.annotation.JsonInclude; +import com.fasterxml.jackson.databind.ObjectMapper; import org.springframework.core.convert.converter.Converter; +import org.springframework.http.HttpHeaders; +import org.springframework.http.HttpMethod; +import org.springframework.http.HttpStatus; +import org.springframework.http.MediaType; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.core.Authentication; +import org.springframework.security.core.context.SecurityContextHolder; +import org.springframework.security.oauth2.core.AuthorizationGrantType; +import org.springframework.security.oauth2.core.OAuth2AccessToken; +import org.springframework.security.oauth2.core.OAuth2AuthenticationException; +import org.springframework.security.oauth2.core.OAuth2Error; +import org.springframework.security.oauth2.core.OAuth2ErrorCodes; +import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames; +import org.springframework.security.oauth2.server.authorization.OAuth2Authorization; import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService; +import org.springframework.security.oauth2.server.authorization.TokenType; +import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AccessTokenAuthenticationToken; +import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeAuthenticationToken; +import org.springframework.security.web.util.matcher.AntPathRequestMatcher; +import org.springframework.security.web.util.matcher.RequestMatcher; +import org.springframework.util.Assert; +import org.springframework.util.StringUtils; import org.springframework.web.filter.OncePerRequestFilter; import javax.servlet.FilterChain; @@ -26,19 +47,145 @@ import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException; +import java.io.Writer; /** + * This {@code Filter} is used by the client to obtain an access token by presenting + * its authorization grant. + * + *

+ * It converts the OAuth 2.0 Access Token Request to {@link OAuth2AuthorizationCodeAuthenticationToken}, + * which is then authenticated by the {@link AuthenticationManager} and gets back + * {@link OAuth2AccessTokenAuthenticationToken} which has the {@link OAuth2AccessToken} if the request + * was successfully authenticated. The {@link OAuth2AccessToken} is then updated in the in-flight {@link OAuth2Authorization} + * and sent back to the client. In case the authentication fails, an HTTP 401 (Unauthorized) response is returned. + * + *

+ * By default, this {@code Filter} responds to access token requests + * at the {@code URI} {@code /oauth2/token} and {@code HttpMethod} {@code POST} + * using the default {@link AntPathRequestMatcher}. + * + *

+ * The default base {@code URI} {@code /oauth2/token} may be overridden + * via the constructor {@link #OAuth2TokenEndpointFilter(OAuth2AuthorizationService, AuthenticationManager, String)}. + * * @author Joe Grandja + * @author Madhu Bhat */ public class OAuth2TokenEndpointFilter extends OncePerRequestFilter { - private Converter authorizationGrantConverter; + /** + * The default endpoint {@code URI} for access token requests. + */ + private static final String DEFAULT_TOKEN_ENDPOINT_URI = "/oauth2/token"; + + private Converter authorizationGrantConverter = this::convert; private AuthenticationManager authenticationManager; private OAuth2AuthorizationService authorizationService; + private RequestMatcher uriMatcher; + private ObjectMapper objectMapper = new ObjectMapper().setSerializationInclusion(JsonInclude.Include.NON_NULL); + + /** + * Constructs an {@code OAuth2TokenEndpointFilter} using the provided parameters. + * + * @param authorizationService the authorization service implementation + * @param authenticationManager the authentication manager implementation + */ + public OAuth2TokenEndpointFilter(OAuth2AuthorizationService authorizationService, AuthenticationManager authenticationManager) { + Assert.notNull(authorizationService, "authorizationService cannot be null"); + Assert.notNull(authenticationManager, "authenticationManager cannot be null"); + this.authenticationManager = authenticationManager; + this.authorizationService = authorizationService; + this.uriMatcher = new AntPathRequestMatcher(DEFAULT_TOKEN_ENDPOINT_URI, HttpMethod.POST.name()); + } + + /** + * Constructs an {@code OAuth2TokenEndpointFilter} using the provided parameters. + * + * @param authorizationService the authorization service implementation + * @param authenticationManager the authentication manager implementation + * @param tokenEndpointUri the token endpoint's uri + */ + public OAuth2TokenEndpointFilter(OAuth2AuthorizationService authorizationService, AuthenticationManager authenticationManager, + String tokenEndpointUri) { + Assert.notNull(authorizationService, "authorizationService cannot be null"); + Assert.notNull(authenticationManager, "authenticationManager cannot be null"); + Assert.hasText(tokenEndpointUri, "tokenEndpointUri cannot be empty"); + this.authenticationManager = authenticationManager; + this.authorizationService = authorizationService; + this.uriMatcher = new AntPathRequestMatcher(tokenEndpointUri, HttpMethod.POST.name()); + } @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { + if (uriMatcher.matches(request)) { + try { + if (validateAccessTokenRequest(request)) { + OAuth2AuthorizationCodeAuthenticationToken authCodeAuthToken = + (OAuth2AuthorizationCodeAuthenticationToken) authorizationGrantConverter.convert(request); + OAuth2AccessTokenAuthenticationToken accessTokenAuthenticationToken = + (OAuth2AccessTokenAuthenticationToken) authenticationManager.authenticate(authCodeAuthToken); + if (accessTokenAuthenticationToken.isAuthenticated()) { + OAuth2Authorization authorization = authorizationService + .findByTokenAndTokenType(authCodeAuthToken.getCode(), TokenType.AUTHORIZATION_CODE); + authorization.setAccessToken(accessTokenAuthenticationToken.getAccessToken()); + authorizationService.save(authorization); + writeSuccessResponse(response, accessTokenAuthenticationToken.getAccessToken()); + } else { + throw new OAuth2AuthenticationException(new OAuth2Error(OAuth2ErrorCodes.INVALID_CLIENT)); + } + } + } catch (OAuth2AuthenticationException exception) { + SecurityContextHolder.clearContext(); + writeFailureResponse(response, exception.getError()); + } + } else { + filterChain.doFilter(request, response); + } + } + private boolean validateAccessTokenRequest(HttpServletRequest request) { + if (StringUtils.isEmpty(request.getParameter(OAuth2ParameterNames.CODE)) + || StringUtils.isEmpty(request.getParameter(OAuth2ParameterNames.REDIRECT_URI)) + || StringUtils.isEmpty(request.getParameter(OAuth2ParameterNames.GRANT_TYPE))) { + throw new OAuth2AuthenticationException(new OAuth2Error(OAuth2ErrorCodes.INVALID_REQUEST)); + } else if (!AuthorizationGrantType.AUTHORIZATION_CODE.getValue().equals(request.getParameter(OAuth2ParameterNames.GRANT_TYPE))) { + throw new OAuth2AuthenticationException(new OAuth2Error(OAuth2ErrorCodes.UNSUPPORTED_GRANT_TYPE)); + } + return true; + } + + private OAuth2AuthorizationCodeAuthenticationToken convert(HttpServletRequest request) { + Authentication clientPrincipal = SecurityContextHolder.getContext().getAuthentication(); + return new OAuth2AuthorizationCodeAuthenticationToken( + request.getParameter(OAuth2ParameterNames.CODE), + clientPrincipal, + request.getParameter(OAuth2ParameterNames.REDIRECT_URI) + ); + } + + private void writeSuccessResponse(HttpServletResponse response, OAuth2AccessToken body) throws IOException { + try (Writer out = response.getWriter()) { + response.setStatus(HttpStatus.OK.value()); + response.setContentType(MediaType.APPLICATION_JSON_VALUE); + response.setCharacterEncoding("UTF-8"); + response.setHeader(HttpHeaders.CACHE_CONTROL, "no-store"); + response.setHeader(HttpHeaders.PRAGMA, "no-cache"); + out.write(objectMapper.writeValueAsString(body)); + } + } + + private void writeFailureResponse(HttpServletResponse response, OAuth2Error error) throws IOException { + try (Writer out = response.getWriter()) { + if (error.getErrorCode().equals(OAuth2ErrorCodes.INVALID_CLIENT)) { + response.setStatus(HttpStatus.UNAUTHORIZED.value()); + } else { + response.setStatus(HttpStatus.BAD_REQUEST.value()); + } + response.setContentType(MediaType.APPLICATION_JSON_VALUE); + response.setCharacterEncoding("UTF-8"); + out.write(objectMapper.writeValueAsString(error)); + } } } diff --git a/core/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2TokenEndpointFilterTests.java b/core/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2TokenEndpointFilterTests.java new file mode 100644 index 0000000..0deddbe --- /dev/null +++ b/core/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2TokenEndpointFilterTests.java @@ -0,0 +1,230 @@ +/* + * Copyright 2020 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.springframework.security.oauth2.server.authorization.web; + +import org.junit.Before; +import org.junit.Test; +import org.springframework.http.HttpHeaders; +import org.springframework.http.HttpStatus; +import org.springframework.mock.web.MockHttpServletRequest; +import org.springframework.mock.web.MockHttpServletResponse; +import org.springframework.security.authentication.AuthenticationManager; +import org.springframework.security.core.Authentication; +import org.springframework.security.oauth2.core.AuthorizationGrantType; +import org.springframework.security.oauth2.core.OAuth2AccessToken; +import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames; +import org.springframework.security.oauth2.server.authorization.OAuth2Authorization; +import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationAttributeNames; +import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService; +import org.springframework.security.oauth2.server.authorization.TokenType; +import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AccessTokenAuthenticationToken; +import org.springframework.security.oauth2.server.authorization.client.RegisteredClient; +import org.springframework.security.oauth2.server.authorization.client.TestRegisteredClients; + +import javax.servlet.FilterChain; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import java.time.Instant; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.assertj.core.api.Assertions.assertThatThrownBy; +import static org.mockito.ArgumentMatchers.any; +import static org.mockito.Mockito.anyString; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.times; +import static org.mockito.Mockito.verify; +import static org.mockito.Mockito.verifyNoInteractions; +import static org.mockito.Mockito.when; + +/** + * Tests for {@link OAuth2TokenEndpointFilter}. + * + * @author Madhu Bhat + */ +public class OAuth2TokenEndpointFilterTests { + + private OAuth2TokenEndpointFilter filter; + private OAuth2AuthorizationService authorizationService = mock(OAuth2AuthorizationService.class); + private AuthenticationManager authenticationManager = mock(AuthenticationManager.class); + private FilterChain filterChain = mock(FilterChain.class); + private String requestUri; + private static final RegisteredClient REGISTERED_CLIENT = TestRegisteredClients.registeredClient().build(); + private static final String PRINCIPAL_NAME = "principal"; + private static final String AUTHORIZATION_CODE = "code"; + + @Before + public void setUp() { + this.filter = new OAuth2TokenEndpointFilter(this.authorizationService, this.authenticationManager); + this.requestUri = "/oauth2/token"; + } + + @Test + public void constructorServiceAndManagerWhenNullThenThrowIllegalArgumentException() { + assertThatThrownBy(() -> { + new OAuth2TokenEndpointFilter(null, null); + }).isInstanceOf(IllegalArgumentException.class); + } + + @Test + public void constructorServiceAndManagerAndEndpointWhenNullThenThrowIllegalArgumentException() { + assertThatThrownBy(() -> { + new OAuth2TokenEndpointFilter(null, null, null); + }).isInstanceOf(IllegalArgumentException.class); + } + + @Test + public void doFilterWhenNotTokenRequestThenNextFilter() throws Exception { + this.requestUri = "/path"; + MockHttpServletRequest request = new MockHttpServletRequest("GET", this.requestUri); + request.setServletPath(this.requestUri); + MockHttpServletResponse response = new MockHttpServletResponse(); + + this.filter.doFilter(request, response, this.filterChain); + + verify(this.filterChain).doFilter(any(HttpServletRequest.class), any(HttpServletResponse.class)); + } + + @Test + public void doFilterWhenAccessTokenRequestWithoutGrantTypeThenRespondWithBadRequest() throws Exception { + MockHttpServletRequest request = new MockHttpServletRequest("POST", this.requestUri); + request.addParameter(OAuth2ParameterNames.CODE, "testAuthCode"); + request.addParameter(OAuth2ParameterNames.REDIRECT_URI, "testRedirectUri"); + request.setServletPath(this.requestUri); + MockHttpServletResponse response = new MockHttpServletResponse(); + + this.filter.doFilter(request, response, this.filterChain); + + verifyNoInteractions(this.filterChain); + assertThat(response.getStatus()).isEqualTo(HttpStatus.BAD_REQUEST.value()); + assertThat(response.getContentAsString()).isEqualTo("{\"errorCode\":\"invalid_request\"}"); + } + + @Test + public void doFilterWhenAccessTokenRequestWithoutCodeThenRespondWithBadRequest() throws Exception { + MockHttpServletRequest request = new MockHttpServletRequest("POST", this.requestUri); + request.addParameter(OAuth2ParameterNames.GRANT_TYPE, "testGrantType"); + request.addParameter(OAuth2ParameterNames.REDIRECT_URI, "testRedirectUri"); + request.setServletPath(this.requestUri); + MockHttpServletResponse response = new MockHttpServletResponse(); + + this.filter.doFilter(request, response, this.filterChain); + + verifyNoInteractions(this.filterChain); + assertThat(response.getStatus()).isEqualTo(HttpStatus.BAD_REQUEST.value()); + assertThat(response.getContentAsString()).isEqualTo("{\"errorCode\":\"invalid_request\"}"); + } + + @Test + public void doFilterWhenAccessTokenRequestWithoutRedirectUriThenRespondWithBadRequest() throws Exception { + MockHttpServletRequest request = new MockHttpServletRequest("POST", this.requestUri); + request.addParameter(OAuth2ParameterNames.GRANT_TYPE, "testGrantType"); + request.addParameter(OAuth2ParameterNames.CODE, "testAuthCode"); + request.setServletPath(this.requestUri); + MockHttpServletResponse response = new MockHttpServletResponse(); + + this.filter.doFilter(request, response, this.filterChain); + + verifyNoInteractions(this.filterChain); + assertThat(response.getStatus()).isEqualTo(HttpStatus.BAD_REQUEST.value()); + assertThat(response.getContentAsString()).isEqualTo("{\"errorCode\":\"invalid_request\"}"); + } + + @Test + public void doFilterWhenAccessTokenRequestWithoutAuthCodeGrantTypeThenRespondWithBadRequest() throws Exception { + MockHttpServletRequest request = new MockHttpServletRequest("POST", this.requestUri); + request.addParameter(OAuth2ParameterNames.GRANT_TYPE, "testGrantType"); + request.addParameter(OAuth2ParameterNames.CODE, "testAuthCode"); + request.addParameter(OAuth2ParameterNames.REDIRECT_URI, "testRedirectUri"); + request.setServletPath(this.requestUri); + MockHttpServletResponse response = new MockHttpServletResponse(); + + this.filter.doFilter(request, response, this.filterChain); + + verifyNoInteractions(this.filterChain); + assertThat(response.getStatus()).isEqualTo(HttpStatus.BAD_REQUEST.value()); + assertThat(response.getContentAsString()).isEqualTo("{\"errorCode\":\"unsupported_grant_type\"}"); + } + + @Test + public void doFilterWhenAccessTokenRequestIsNotAuthenticatedThenRespondWithUnauthorized() throws Exception { + MockHttpServletRequest request = new MockHttpServletRequest("POST", this.requestUri); + request.addParameter(OAuth2ParameterNames.GRANT_TYPE, AuthorizationGrantType.AUTHORIZATION_CODE.getValue()); + request.addParameter(OAuth2ParameterNames.CODE, "testAuthCode"); + request.addParameter(OAuth2ParameterNames.REDIRECT_URI, "testRedirectUri"); + request.setServletPath(this.requestUri); + MockHttpServletResponse response = new MockHttpServletResponse(); + Authentication clientPrincipal = mock(Authentication.class); + RegisteredClient registeredClient = mock(RegisteredClient.class); + + OAuth2AccessToken accessToken = new OAuth2AccessToken( + OAuth2AccessToken.TokenType.BEARER, "testToken", Instant.now().minusSeconds(60), Instant.now()); + OAuth2Authorization authorization = OAuth2Authorization.withRegisteredClient(REGISTERED_CLIENT) + .principalName(PRINCIPAL_NAME) + .attribute(OAuth2AuthorizationAttributeNames.CODE, AUTHORIZATION_CODE) + .build(); + OAuth2AccessTokenAuthenticationToken accessTokenAuthenticationToken = + new OAuth2AccessTokenAuthenticationToken(registeredClient, clientPrincipal, accessToken); + accessTokenAuthenticationToken.setAuthenticated(false); + + when(this.authorizationService.findByTokenAndTokenType(anyString(), any(TokenType.class))).thenReturn(authorization); + when(this.authenticationManager.authenticate(any(Authentication.class))).thenReturn(accessTokenAuthenticationToken); + + this.filter.doFilter(request, response, this.filterChain); + + verifyNoInteractions(this.filterChain); + verify(this.authorizationService, times(0)).save(authorization); + verify(this.authenticationManager, times(1)).authenticate(any(Authentication.class)); + assertThat(response.getStatus()).isEqualTo(HttpStatus.UNAUTHORIZED.value()); + assertThat(response.getContentAsString()) + .isEqualTo("{\"errorCode\":\"invalid_client\"}"); + } + + @Test + public void doFilterWhenValidAccessTokenRequestThenRespondWithAccessToken() throws Exception { + MockHttpServletRequest request = new MockHttpServletRequest("POST", this.requestUri); + request.addParameter(OAuth2ParameterNames.GRANT_TYPE, AuthorizationGrantType.AUTHORIZATION_CODE.getValue()); + request.addParameter(OAuth2ParameterNames.CODE, "testAuthCode"); + request.addParameter(OAuth2ParameterNames.REDIRECT_URI, "testRedirectUri"); + request.setServletPath(this.requestUri); + MockHttpServletResponse response = new MockHttpServletResponse(); + Authentication clientPrincipal = mock(Authentication.class); + RegisteredClient registeredClient = mock(RegisteredClient.class); + + OAuth2AccessToken accessToken = new OAuth2AccessToken( + OAuth2AccessToken.TokenType.BEARER, "testToken", Instant.now().minusSeconds(60), Instant.now()); + OAuth2Authorization authorization = OAuth2Authorization.withRegisteredClient(REGISTERED_CLIENT) + .principalName(PRINCIPAL_NAME) + .attribute(OAuth2AuthorizationAttributeNames.CODE, AUTHORIZATION_CODE) + .build(); + OAuth2AccessTokenAuthenticationToken accessTokenAuthenticationToken = + new OAuth2AccessTokenAuthenticationToken(registeredClient, clientPrincipal, accessToken); + accessTokenAuthenticationToken.setAuthenticated(true); + + when(this.authorizationService.findByTokenAndTokenType(anyString(), any(TokenType.class))).thenReturn(authorization); + when(this.authenticationManager.authenticate(any(Authentication.class))).thenReturn(accessTokenAuthenticationToken); + + this.filter.doFilter(request, response, this.filterChain); + + verifyNoInteractions(this.filterChain); + verify(this.authorizationService, times(1)).save(authorization); + verify(this.authenticationManager, times(1)).authenticate(any(Authentication.class)); + assertThat(response.getStatus()).isEqualTo(HttpStatus.OK.value()); + assertThat(response.getContentAsString()).contains("\"tokenValue\":\"testToken\""); + assertThat(response.getContentAsString()).contains("\"tokenType\":{\"value\":\"Bearer\"}"); + assertThat(response.getHeader(HttpHeaders.CACHE_CONTROL)).isEqualTo("no-store"); + assertThat(response.getHeader(HttpHeaders.PRAGMA)).isEqualTo("no-cache"); + } +}