Polish gh-143

This commit is contained in:
Joe Grandja 2020-11-23 15:26:34 -05:00
parent 6a5e277a11
commit ab591dc39d
15 changed files with 508 additions and 533 deletions

View File

@ -54,9 +54,7 @@ import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;
import java.net.MalformedURLException;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.Arrays;
import java.util.LinkedHashMap;
import java.util.List;
@ -66,12 +64,16 @@ import java.util.Map;
* An {@link AbstractHttpConfigurer} for OAuth 2.0 Authorization Server support.
*
* @author Joe Grandja
* @author Daniel Garnier-Moiroux
* @since 0.0.1
* @see AbstractHttpConfigurer
* @see RegisteredClientRepository
* @see OAuth2AuthorizationService
* @see OAuth2AuthorizationEndpointFilter
* @see OAuth2TokenEndpointFilter
* @see OAuth2TokenRevocationEndpointFilter
* @see JwkSetEndpointFilter
* @see OidcProviderConfigurationEndpointFilter
* @see OAuth2ClientAuthenticationFilter
*/
public final class OAuth2AuthorizationServerConfigurer<B extends HttpSecurityBuilder<B>>
@ -147,15 +149,17 @@ public final class OAuth2AuthorizationServerConfigurer<B extends HttpSecurityBui
* @return a {@code List} of {@link RequestMatcher}'s for the authorization server endpoints
*/
public List<RequestMatcher> getEndpointMatchers() {
// TODO: use ProviderSettings instead
// TODO Initialize matchers using URI's from ProviderSettings
return Arrays.asList(this.authorizationEndpointMatcher, this.tokenEndpointMatcher,
this.tokenRevocationEndpointMatcher, this.jwkSetEndpointMatcher, this.oidcProviderConfigurationEndpointMatcher);
this.tokenRevocationEndpointMatcher, this.jwkSetEndpointMatcher,
this.oidcProviderConfigurationEndpointMatcher);
}
@Override
public void init(B builder) {
ProviderSettings providerSettings = getProviderSettings(builder);
validateProviderSettings(providerSettings);
OAuth2ClientAuthenticationProvider clientAuthenticationProvider =
new OAuth2ClientAuthenticationProvider(
getRegisteredClientRepository(builder),
@ -208,14 +212,16 @@ public final class OAuth2AuthorizationServerConfigurer<B extends HttpSecurityBui
@Override
public void configure(B builder) {
if (getProviderSettings(builder).issuer() != null) {
OidcProviderConfigurationEndpointFilter oidcProviderConfigurationEndpointFilter = new OidcProviderConfigurationEndpointFilter(getProviderSettings(builder));
ProviderSettings providerSettings = getProviderSettings(builder);
if (providerSettings.issuer() != null) {
OidcProviderConfigurationEndpointFilter oidcProviderConfigurationEndpointFilter =
new OidcProviderConfigurationEndpointFilter(providerSettings);
builder.addFilterBefore(postProcess(oidcProviderConfigurationEndpointFilter), AbstractPreAuthenticatedProcessingFilter.class);
}
JwkSetEndpointFilter jwkSetEndpointFilter = new JwkSetEndpointFilter(
getKeySource(builder),
getProviderSettings(builder).jwkSetEndpoint());
providerSettings.jwksEndpoint());
builder.addFilterBefore(postProcess(jwkSetEndpointFilter), AbstractPreAuthenticatedProcessingFilter.class);
AuthenticationManager authenticationManager = builder.getSharedObject(AuthenticationManager.class);
@ -230,20 +236,20 @@ public final class OAuth2AuthorizationServerConfigurer<B extends HttpSecurityBui
new OAuth2AuthorizationEndpointFilter(
getRegisteredClientRepository(builder),
getAuthorizationService(builder),
getProviderSettings(builder).authorizationEndpoint());
providerSettings.authorizationEndpoint());
builder.addFilterBefore(postProcess(authorizationEndpointFilter), AbstractPreAuthenticatedProcessingFilter.class);
OAuth2TokenEndpointFilter tokenEndpointFilter =
new OAuth2TokenEndpointFilter(
authenticationManager,
getAuthorizationService(builder),
getProviderSettings(builder).tokenEndpoint());
providerSettings.tokenEndpoint());
builder.addFilterAfter(postProcess(tokenEndpointFilter), FilterSecurityInterceptor.class);
OAuth2TokenRevocationEndpointFilter tokenRevocationEndpointFilter =
new OAuth2TokenRevocationEndpointFilter(
authenticationManager,
getProviderSettings(builder).tokenRevocationEndpoint());
providerSettings.tokenRevocationEndpoint());
builder.addFilterAfter(postProcess(tokenRevocationEndpointFilter), OAuth2TokenEndpointFilter.class);
}
@ -323,8 +329,8 @@ public final class OAuth2AuthorizationServerConfigurer<B extends HttpSecurityBui
if (providerSettings.issuer() != null) {
try {
new URI(providerSettings.issuer()).toURL();
} catch (MalformedURLException | URISyntaxException e) {
throw new IllegalArgumentException("issuer must be a valid URL");
} catch (Exception ex) {
throw new IllegalArgumentException("issuer must be a valid URL", ex);
}
}
}

View File

@ -1,79 +0,0 @@
/*
* Copyright 2020 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.oauth2.core.converter;
import org.springframework.core.convert.TypeDescriptor;
import org.springframework.core.convert.converter.ConditionalGenericConverter;
import org.springframework.core.convert.converter.GenericConverter;
import org.springframework.util.ClassUtils;
import java.util.Collection;
import java.util.Collections;
import java.util.LinkedHashSet;
import java.util.Set;
/**
* TODO
* This class is temporary and will be removed after upgrading to Spring Security 5.5.0 GA.
*
* @author Daniel Garnier-Moiroux
* @since 0.1.0
* @see <a target="_blank" href="https://github.com/spring-projects/spring-security/pull/9146">Issue gh-9146</a>
*/
final public class ObjectToSetStringConverter2 implements ConditionalGenericConverter {
@Override
public Set<GenericConverter.ConvertiblePair> getConvertibleTypes() {
Set<GenericConverter.ConvertiblePair> convertibleTypes = new LinkedHashSet<>();
convertibleTypes.add(new GenericConverter.ConvertiblePair(Object.class, Set.class));
return convertibleTypes;
}
@Override
public boolean matches(TypeDescriptor sourceType, TypeDescriptor targetType) {
if (targetType.getElementTypeDescriptor() == null
|| targetType.getElementTypeDescriptor().getType().equals(String.class) || sourceType == null
|| ClassUtils.isAssignable(sourceType.getType(), targetType.getElementTypeDescriptor().getType())) {
return true;
}
return false;
}
@Override
public Object convert(Object source, TypeDescriptor sourceType, TypeDescriptor targetType) {
if (source == null) {
return null;
}
if (source instanceof Set) {
Set<?> sourceList = (Set<?>) source;
for (Object entry: sourceList) {
if (entry instanceof String) {
return source;
}
}
}
if (source instanceof Collection) {
Collection<String> results = new LinkedHashSet<>();
for (Object object : ((Collection<?>) source)) {
if (object != null) {
results.add(object.toString());
}
}
return results;
}
return Collections.singleton(source.toString());
}
}

View File

@ -23,9 +23,9 @@ import java.net.URI;
import java.net.URL;
import java.util.Collections;
import java.util.LinkedHashMap;
import java.util.LinkedHashSet;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.function.Consumer;
/**
@ -39,13 +39,11 @@ import java.util.function.Consumer;
* @see OidcProviderMetadataClaimAccessor
* @see <a target="_blank" href="https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse">4.2. OpenID Provider Configuration Response</a>
*/
public class OidcProviderConfiguration implements OidcProviderMetadataClaimAccessor, Serializable {
public final class OidcProviderConfiguration implements OidcProviderMetadataClaimAccessor, Serializable {
private static final long serialVersionUID = Version.SERIAL_VERSION_UID;
private final Map<String, Object> claims;
private OidcProviderConfiguration(Map<String, Object> claims) {
Assert.notEmpty(claims, "claims cannot be empty");
this.claims = Collections.unmodifiableMap(new LinkedHashMap<>(claims));
}
@ -60,7 +58,7 @@ public class OidcProviderConfiguration implements OidcProviderMetadataClaimAcces
}
/**
* Constructs a new empty {@link Builder}.
* Constructs a new {@link Builder} with empty claims.
*
* @return the {@link Builder}
*/
@ -68,7 +66,6 @@ public class OidcProviderConfiguration implements OidcProviderMetadataClaimAcces
return new Builder();
}
/**
* Constructs a new {@link Builder} with the provided claims.
*
@ -82,13 +79,8 @@ public class OidcProviderConfiguration implements OidcProviderMetadataClaimAcces
/**
* Helps configure an {@link OidcProviderConfiguration}
*
* @author Daniel Garnier-Moiroux
* @since 0.1.0
* @see <a target="_blank" href="https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata">OpenID Connect Discovery 1.0</a>
* for required claims
*/
public static final class Builder {
public static class Builder {
private final Map<String, Object> claims = new LinkedHashMap<>();
private Builder() {
@ -97,7 +89,7 @@ public class OidcProviderConfiguration implements OidcProviderMetadataClaimAcces
/**
* Use this {@code issuer} in the resulting {@link OidcProviderConfiguration}, REQUIRED.
*
* @param issuer the issuer URI
* @param issuer the URL of the OpenID Provider's Issuer Identifier
* @return the {@link Builder} for further configuration
*/
public Builder issuer(String issuer) {
@ -124,6 +116,29 @@ public class OidcProviderConfiguration implements OidcProviderMetadataClaimAcces
return claim(OidcProviderMetadataClaimNames.TOKEN_ENDPOINT, tokenEndpoint);
}
/**
* Add this Authentication Method to the collection of {@code token_endpoint_auth_methods_supported}
* in the resulting {@link OidcProviderConfiguration}, OPTIONAL.
*
* @param authenticationMethod the OAuth 2.0 Authentication Method supported by the Token endpoint
* @return the {@link Builder} for further configuration
*/
public Builder tokenEndpointAuthenticationMethod(String authenticationMethod) {
addClaimToClaimList(OidcProviderMetadataClaimNames.TOKEN_ENDPOINT_AUTH_METHODS_SUPPORTED, authenticationMethod);
return this;
}
/**
* A {@code Consumer} of the Token Endpoint Authentication Method(s) allowing the ability to add, replace, or remove.
*
* @param authenticationMethodsConsumer a {@code Consumer} of the Token Endpoint Authentication Method(s)
* @return the {@link Builder} for further configuration
*/
public Builder tokenEndpointAuthenticationMethods(Consumer<List<String>> authenticationMethodsConsumer) {
acceptClaimValues(OidcProviderMetadataClaimNames.TOKEN_ENDPOINT_AUTH_METHODS_SUPPORTED, authenticationMethodsConsumer);
return this;
}
/**
* Use this {@code jwks_uri} in the resulting {@link OidcProviderConfiguration}, REQUIRED.
*
@ -138,11 +153,11 @@ public class OidcProviderConfiguration implements OidcProviderMetadataClaimAcces
* Add this Response Type to the collection of {@code response_types_supported} in the resulting
* {@link OidcProviderConfiguration}, REQUIRED.
*
* @param responseType the OAuth 2.0 {@code response_type} values that the OpenID Provider supports
* @param responseType the OAuth 2.0 {@code response_type} value that the OpenID Provider supports
* @return the {@link Builder} for further configuration
*/
public Builder responseType(String responseType) {
addClaimToClaimSet(OidcProviderMetadataClaimNames.RESPONSE_TYPES_SUPPORTED, responseType);
addClaimToClaimList(OidcProviderMetadataClaimNames.RESPONSE_TYPES_SUPPORTED, responseType);
return this;
}
@ -152,54 +167,8 @@ public class OidcProviderConfiguration implements OidcProviderMetadataClaimAcces
* @param responseTypesConsumer a {@code Consumer} of the Response Type(s)
* @return the {@link Builder} for further configuration
*/
public Builder responseTypes(Consumer<Set<String>> responseTypesConsumer) {
applyToClaim(OidcProviderMetadataClaimNames.RESPONSE_TYPES_SUPPORTED, responseTypesConsumer);
return this;
}
/**
* Add this Subject Type to the collection of {@code subject_types_supported} in the resulting
* {@link OidcProviderConfiguration}, REQUIRED.
*
* @param subjectType the Subject Identifiers that the OpenID Provider supports
* @return the {@link Builder} for further configuration
*/
public Builder subjectType(String subjectType) {
addClaimToClaimSet(OidcProviderMetadataClaimNames.SUBJECT_TYPES_SUPPORTED, subjectType);
return this;
}
/**
* A {@code Consumer} of the Subject Types(s) allowing the ability to add, replace, or remove.
*
* @param subjectTypesConsumer a {@code Consumer} of the Subject Types(s)
* @return the {@link Builder} for further configuration
*/
public Builder subjectTypes(Consumer<Set<String>> subjectTypesConsumer) {
applyToClaim(OidcProviderMetadataClaimNames.SUBJECT_TYPES_SUPPORTED, subjectTypesConsumer);
return this;
}
/**
* Add this Scope to the collection of {@code scopes_supported} in the resulting
* {@link OidcProviderConfiguration}, RECOMMENDED.
*
* @param scope the OAuth 2.0 {@code scopes} values that the OpenID Provider supports
* @return the {@link Builder} for further configuration
*/
public Builder scope(String scope) {
addClaimToClaimSet(OidcProviderMetadataClaimNames.SCOPES_SUPPORTED, scope);
return this;
}
/**
* A {@code Consumer} of the Scopes(s) allowing the ability to add, replace, or remove.
*
* @param scopesConsumer a {@code Consumer} of the Scopes(s)
* @return the {@link Builder} for further configuration
*/
public Builder scopes(Consumer<Set<String>> scopesConsumer) {
applyToClaim(OidcProviderMetadataClaimNames.SCOPES_SUPPORTED, scopesConsumer);
public Builder responseTypes(Consumer<List<String>> responseTypesConsumer) {
acceptClaimValues(OidcProviderMetadataClaimNames.RESPONSE_TYPES_SUPPORTED, responseTypesConsumer);
return this;
}
@ -207,11 +176,11 @@ public class OidcProviderConfiguration implements OidcProviderMetadataClaimAcces
* Add this Grant Type to the collection of {@code grant_types_supported} in the resulting
* {@link OidcProviderConfiguration}, OPTIONAL.
*
* @param grantType the OAuth 2.0 {@code grant_type} values that the OpenID Provider supports
* @param grantType the OAuth 2.0 {@code grant_type} value that the OpenID Provider supports
* @return the {@link Builder} for further configuration
*/
public Builder grantType(String grantType) {
addClaimToClaimSet(OidcProviderMetadataClaimNames.GRANT_TYPES_SUPPORTED, grantType);
addClaimToClaimList(OidcProviderMetadataClaimNames.GRANT_TYPES_SUPPORTED, grantType);
return this;
}
@ -221,39 +190,62 @@ public class OidcProviderConfiguration implements OidcProviderMetadataClaimAcces
* @param grantTypesConsumer a {@code Consumer} of the Grant Type(s)
* @return the {@link Builder} for further configuration
*/
public Builder grantTypes(Consumer<Set<String>> grantTypesConsumer) {
applyToClaim(OidcProviderMetadataClaimNames.GRANT_TYPES_SUPPORTED, grantTypesConsumer);
public Builder grantTypes(Consumer<List<String>> grantTypesConsumer) {
acceptClaimValues(OidcProviderMetadataClaimNames.GRANT_TYPES_SUPPORTED, grantTypesConsumer);
return this;
}
/**
* Add this Authentication Method to the collection of {@code token_endpoint_auth_methods_supported}
* in the resulting {@link OidcProviderConfiguration}, OPTIONAL.
* Add this Subject Type to the collection of {@code subject_types_supported} in the resulting
* {@link OidcProviderConfiguration}, REQUIRED.
*
* @param authenticationMethod the OAuth 2.0 Authentication Method supported by the Token endpoint
* @param subjectType the Subject Type that the OpenID Provider supports
* @return the {@link Builder} for further configuration
*/
public Builder tokenEndpointAuthenticationMethod(String authenticationMethod) {
addClaimToClaimSet(OidcProviderMetadataClaimNames.TOKEN_ENDPOINT_AUTH_METHODS_SUPPORTED, authenticationMethod);
public Builder subjectType(String subjectType) {
addClaimToClaimList(OidcProviderMetadataClaimNames.SUBJECT_TYPES_SUPPORTED, subjectType);
return this;
}
/**
* A {@code Consumer} of the Token Endpoint Authentication Method(s) allowing the ability to add, replace, or remove.
* A {@code Consumer} of the Subject Types(s) allowing the ability to add, replace, or remove.
*
* @param authenticationMethodsConsumer a {@code Consumer} of the Token Endpoint Authentication Method(s)
* @param subjectTypesConsumer a {@code Consumer} of the Subject Types(s)
* @return the {@link Builder} for further configuration
*/
public Builder tokenEndpointAuthenticationMethods(Consumer<Set<String>> authenticationMethodsConsumer) {
applyToClaim(OidcProviderMetadataClaimNames.TOKEN_ENDPOINT_AUTH_METHODS_SUPPORTED, authenticationMethodsConsumer);
public Builder subjectTypes(Consumer<List<String>> subjectTypesConsumer) {
acceptClaimValues(OidcProviderMetadataClaimNames.SUBJECT_TYPES_SUPPORTED, subjectTypesConsumer);
return this;
}
/**
* Use this claim in the resulting {@link OidcProviderConfiguration}
* Add this Scope to the collection of {@code scopes_supported} in the resulting
* {@link OidcProviderConfiguration}, RECOMMENDED.
*
* @param name The claim name
* @param value The claim value
* @param scope the OAuth 2.0 {@code scope} value that the OpenID Provider supports
* @return the {@link Builder} for further configuration
*/
public Builder scope(String scope) {
addClaimToClaimList(OidcProviderMetadataClaimNames.SCOPES_SUPPORTED, scope);
return this;
}
/**
* A {@code Consumer} of the Scopes(s) allowing the ability to add, replace, or remove.
*
* @param scopesConsumer a {@code Consumer} of the Scopes(s)
* @return the {@link Builder} for further configuration
*/
public Builder scopes(Consumer<List<String>> scopesConsumer) {
acceptClaimValues(OidcProviderMetadataClaimNames.SCOPES_SUPPORTED, scopesConsumer);
return this;
}
/**
* Use this claim in the resulting {@link OidcProviderConfiguration}.
*
* @param name the claim name
* @param value the claim value
* @return the {@link Builder} for further configuration
*/
public Builder claim(String name, Object value) {
@ -267,7 +259,7 @@ public class OidcProviderConfiguration implements OidcProviderMetadataClaimAcces
* Provides access to every {@link #claim(String, Object)} declared so far with
* the possibility to add, replace, or remove.
*
* @param claimsConsumer the consumer
* @param claimsConsumer a {@code Consumer} of the claims
* @return the {@link Builder} for further configurations
*/
public Builder claims(Consumer<Map<String, Object>> claimsConsumer) {
@ -276,15 +268,13 @@ public class OidcProviderConfiguration implements OidcProviderMetadataClaimAcces
}
/**
* Validate the claims and build the {@link OidcProviderConfiguration}. The following claims are REQUIRED:
* - issuer
* - authorization_endpoint
* - token_endpoint
* - jwks_uri
* - response_types_supported
* - subject_types_supported
* Validate the claims and build the {@link OidcProviderConfiguration}.
* <p>
* The following claims are REQUIRED:
* {@code issuer}, {@code authorization_endpoint}, {@code token_endpoint}, {@code jwks_uri},
* {@code response_types_supported} and {@code subject_types_supported}.
*
* @return The constructed {@link OidcProviderConfiguration}
* @return the {@link OidcProviderConfiguration}
*/
public OidcProviderConfiguration build() {
validateClaims();
@ -298,34 +288,43 @@ public class OidcProviderConfiguration implements OidcProviderMetadataClaimAcces
validateURL(this.claims.get(OidcProviderMetadataClaimNames.AUTHORIZATION_ENDPOINT), "authorizationEndpoint must be a valid URL");
Assert.notNull(this.claims.get(OidcProviderMetadataClaimNames.TOKEN_ENDPOINT), "tokenEndpoint cannot be null");
validateURL(this.claims.get(OidcProviderMetadataClaimNames.TOKEN_ENDPOINT), "tokenEndpoint must be a valid URL");
Assert.notNull(this.claims.get(OidcProviderMetadataClaimNames.JWKS_URI), "jwkSetUri cannot be null");
validateURL(this.claims.get(OidcProviderMetadataClaimNames.JWKS_URI), "jwkSetUri must be a valid URL");
Assert.notEmpty((Set<?>) this.claims.get(OidcProviderMetadataClaimNames.SUBJECT_TYPES_SUPPORTED), "subjectTypes cannot be empty");
Assert.notEmpty((Set<?>) this.claims.get(OidcProviderMetadataClaimNames.RESPONSE_TYPES_SUPPORTED), "responseTypes cannot be empty");
Assert.notNull(this.claims.get(OidcProviderMetadataClaimNames.JWKS_URI), "jwksUri cannot be null");
validateURL(this.claims.get(OidcProviderMetadataClaimNames.JWKS_URI), "jwksUri must be a valid URL");
Assert.notNull(this.claims.get(OidcProviderMetadataClaimNames.RESPONSE_TYPES_SUPPORTED), "responseTypes cannot be null");
Assert.isInstanceOf(List.class, this.claims.get(OidcProviderMetadataClaimNames.RESPONSE_TYPES_SUPPORTED), "responseTypes must be of type List");
Assert.notEmpty((List<?>) this.claims.get(OidcProviderMetadataClaimNames.RESPONSE_TYPES_SUPPORTED), "responseTypes cannot be empty");
Assert.notNull(this.claims.get(OidcProviderMetadataClaimNames.SUBJECT_TYPES_SUPPORTED), "subjectTypes cannot be null");
Assert.isInstanceOf(List.class, this.claims.get(OidcProviderMetadataClaimNames.SUBJECT_TYPES_SUPPORTED), "subjectTypes must be of type List");
Assert.notEmpty((List<?>) this.claims.get(OidcProviderMetadataClaimNames.SUBJECT_TYPES_SUPPORTED), "subjectTypes cannot be empty");
}
private void validateURL(Object url, String errorMessage) {
if (url.getClass().isAssignableFrom(URL.class)) return;
private static void validateURL(Object url, String errorMessage) {
if (URL.class.isAssignableFrom(url.getClass())) {
return;
}
try {
new URI(url.toString()).toURL();
} catch (Exception e) {
throw new IllegalArgumentException(errorMessage);
} catch (Exception ex) {
throw new IllegalArgumentException(errorMessage, ex);
}
}
@SuppressWarnings("unchecked")
private void addClaimToClaimSet(String name, String value) {
this.claims.putIfAbsent(name, new LinkedHashSet<String>());
((Set<String>) this.claims.get(name)).add(value);
private void addClaimToClaimList(String name, String value) {
Assert.hasText(name, "name cannot be empty");
Assert.notNull(value, "value cannot be null");
this.claims.computeIfAbsent(name, k -> new LinkedList<String>());
((List<String>) this.claims.get(name)).add(value);
}
@SuppressWarnings("unchecked")
private void applyToClaim(String name, Consumer<Set<String>> consumer) {
this.claims.putIfAbsent(name, new LinkedHashSet<String>());
Set<String> values = (Set<String>) this.claims.get(name);
consumer.accept(values);
private void acceptClaimValues(String name, Consumer<List<String>> valuesConsumer) {
Assert.hasText(name, "name cannot be empty");
Assert.notNull(valuesConsumer, "valuesConsumer cannot be null");
this.claims.computeIfAbsent(name, k -> new LinkedList<String>());
List<String> values = (List<String>) this.claims.get(name);
valuesConsumer.accept(values);
}
}
}

View File

@ -35,30 +35,30 @@ import java.util.List;
public interface OidcProviderMetadataClaimAccessor extends ClaimAccessor {
/**
* Returns the URL the OpenID Provider asserts as its Issuer Identifier {@code (issuer)}.
* Returns the {@code URL} the OpenID Provider asserts as its Issuer Identifier {@code (issuer)}.
*
* @return the URL the OpenID Provider asserts as its Issuer Identifier
* @return the {@code URL} the OpenID Provider asserts as its Issuer Identifier
*/
default URL getIssuer() {
return this.getClaimAsURL(OidcProviderMetadataClaimNames.ISSUER);
return getClaimAsURL(OidcProviderMetadataClaimNames.ISSUER);
}
/**
* Returns the URL of the OAuth 2.0 Authorization Endpoint {@code (authorization_endpoint)}.
* Returns the {@code URL} of the OAuth 2.0 Authorization Endpoint {@code (authorization_endpoint)}.
*
* @return the URL of the OAuth 2.0 Authorization Endpoint
* @return the {@code URL} of the OAuth 2.0 Authorization Endpoint
*/
default URL getAuthorizationEndpoint() {
return this.getClaimAsURL(OidcProviderMetadataClaimNames.AUTHORIZATION_ENDPOINT);
return getClaimAsURL(OidcProviderMetadataClaimNames.AUTHORIZATION_ENDPOINT);
}
/**
* Returns the URL of the OAuth 2.0 Token Endpoint {@code (token_endpoint)}.
* Returns the {@code URL} of the OAuth 2.0 Token Endpoint {@code (token_endpoint)}.
*
* @return the URL of the OAuth 2.0 Token Endpoint
* @return the {@code URL} of the OAuth 2.0 Token Endpoint
*/
default URL getTokenEndpoint() {
return this.getClaimAsURL(OidcProviderMetadataClaimNames.TOKEN_ENDPOINT);
return getClaimAsURL(OidcProviderMetadataClaimNames.TOKEN_ENDPOINT);
}
/**
@ -67,16 +67,16 @@ public interface OidcProviderMetadataClaimAccessor extends ClaimAccessor {
* @return the client authentication methods supported by the OAuth 2.0 Token Endpoint
*/
default List<String> getTokenEndpointAuthenticationMethods() {
return this.getClaimAsStringList(OidcProviderMetadataClaimNames.TOKEN_ENDPOINT_AUTH_METHODS_SUPPORTED);
return getClaimAsStringList(OidcProviderMetadataClaimNames.TOKEN_ENDPOINT_AUTH_METHODS_SUPPORTED);
}
/**
* Returns the URL of the JSON Web Key Set {@code (jwks_uri)}.
* Returns the {@code URL} of the JSON Web Key Set {@code (jwks_uri)}.
*
* @return the URL of the JSON Web Key Set
* @return the {@code URL} of the JSON Web Key Set
*/
default URL getJwksUri() {
return this.getClaimAsURL(OidcProviderMetadataClaimNames.JWKS_URI);
return getClaimAsURL(OidcProviderMetadataClaimNames.JWKS_URI);
}
/**
@ -85,7 +85,7 @@ public interface OidcProviderMetadataClaimAccessor extends ClaimAccessor {
* @return the OAuth 2.0 {@code response_type} values supported
*/
default List<String> getResponseTypes() {
return this.getClaimAsStringList(OidcProviderMetadataClaimNames.RESPONSE_TYPES_SUPPORTED);
return getClaimAsStringList(OidcProviderMetadataClaimNames.RESPONSE_TYPES_SUPPORTED);
}
/**
@ -94,7 +94,7 @@ public interface OidcProviderMetadataClaimAccessor extends ClaimAccessor {
* @return the OAuth 2.0 {@code grant_type} values supported
*/
default List<String> getGrantTypes() {
return this.getClaimAsStringList(OidcProviderMetadataClaimNames.GRANT_TYPES_SUPPORTED);
return getClaimAsStringList(OidcProviderMetadataClaimNames.GRANT_TYPES_SUPPORTED);
}
/**
@ -103,7 +103,7 @@ public interface OidcProviderMetadataClaimAccessor extends ClaimAccessor {
* @return the Subject Identifier types supported
*/
default List<String> getSubjectTypes() {
return this.getClaimAsStringList(OidcProviderMetadataClaimNames.SUBJECT_TYPES_SUPPORTED);
return getClaimAsStringList(OidcProviderMetadataClaimNames.SUBJECT_TYPES_SUPPORTED);
}
/**
@ -112,7 +112,7 @@ public interface OidcProviderMetadataClaimAccessor extends ClaimAccessor {
* @return the OAuth 2.0 {@code scope} values supported
*/
default List<String> getScopes() {
return this.getClaimAsStringList(OidcProviderMetadataClaimNames.SCOPES_SUPPORTED);
return getClaimAsStringList(OidcProviderMetadataClaimNames.SCOPES_SUPPORTED);
}
}

View File

@ -16,7 +16,7 @@
package org.springframework.security.oauth2.core.oidc;
/**
* The names of the "claims" defined by the OpenID Connect Discovery 1.0 that can be returned
* The names of the "claims" defined by OpenID Connect Discovery 1.0 that can be returned
* in the OpenID Provider Configuration Response.
*
* @author Daniel Garnier-Moiroux
@ -26,17 +26,17 @@ package org.springframework.security.oauth2.core.oidc;
public interface OidcProviderMetadataClaimNames {
/**
* {@code issuer} - the URL the OpenID Provider asserts as its Issuer Identifier
* {@code issuer} - the {@code URL} the OpenID Provider asserts as its Issuer Identifier
*/
String ISSUER = "issuer";
/**
* {@code authorization_endpoint} - the URL of the OAuth 2.0 Authorization Endpoint
* {@code authorization_endpoint} - the {@code URL} of the OAuth 2.0 Authorization Endpoint
*/
String AUTHORIZATION_ENDPOINT = "authorization_endpoint";
/**
* {@code token_endpoint} - the URL of the OAuth 2.0 Token Endpoint
* {@code token_endpoint} - the {@code URL} of the OAuth 2.0 Token Endpoint
*/
String TOKEN_ENDPOINT = "token_endpoint";
@ -46,7 +46,7 @@ public interface OidcProviderMetadataClaimNames {
String TOKEN_ENDPOINT_AUTH_METHODS_SUPPORTED = "token_endpoint_auth_methods_supported";
/**
* {@code jwks_uri} - the URL of the JSON Web Key Set
* {@code jwks_uri} - the {@code URL} of the JSON Web Key Set
*/
String JWKS_URI = "jwks_uri";

View File

@ -0,0 +1,67 @@
/*
* Copyright 2002-2018 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.oauth2.core.oidc.http.converter;
import org.springframework.http.converter.GenericHttpMessageConverter;
import org.springframework.http.converter.HttpMessageConverter;
import org.springframework.http.converter.json.GsonHttpMessageConverter;
import org.springframework.http.converter.json.JsonbHttpMessageConverter;
import org.springframework.http.converter.json.MappingJackson2HttpMessageConverter;
import org.springframework.util.ClassUtils;
/**
* TODO
* This class is a straight copy from Spring Security.
* It should be consolidated when merging this codebase into Spring Security.
*
* Utility methods for {@link HttpMessageConverter}'s.
*
* @author Joe Grandja
* @since 5.1
*/
final class HttpMessageConverters {
private static final boolean jackson2Present;
private static final boolean gsonPresent;
private static final boolean jsonbPresent;
static {
ClassLoader classLoader = HttpMessageConverters.class.getClassLoader();
jackson2Present = ClassUtils.isPresent("com.fasterxml.jackson.databind.ObjectMapper", classLoader)
&& ClassUtils.isPresent("com.fasterxml.jackson.core.JsonGenerator", classLoader);
gsonPresent = ClassUtils.isPresent("com.google.gson.Gson", classLoader);
jsonbPresent = ClassUtils.isPresent("javax.json.bind.Jsonb", classLoader);
}
private HttpMessageConverters() {
}
static GenericHttpMessageConverter<Object> getJsonMessageConverter() {
if (jackson2Present) {
return new MappingJackson2HttpMessageConverter();
}
if (gsonPresent) {
return new GsonHttpMessageConverter();
}
if (jsonbPresent) {
return new JsonbHttpMessageConverter();
}
return null;
}
}

View File

@ -13,7 +13,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.oauth2.core.http.converter;
package org.springframework.security.oauth2.core.oidc.http.converter;
import org.springframework.core.ParameterizedTypeReference;
import org.springframework.core.convert.TypeDescriptor;
@ -28,20 +28,17 @@ import org.springframework.http.converter.HttpMessageNotReadableException;
import org.springframework.http.converter.HttpMessageNotWritableException;
import org.springframework.security.oauth2.core.converter.ClaimConversionService;
import org.springframework.security.oauth2.core.converter.ClaimTypeConverter;
import org.springframework.security.oauth2.core.converter.ObjectToSetStringConverter2;
import org.springframework.security.oauth2.core.oidc.OidcProviderConfiguration;
import org.springframework.security.oauth2.core.oidc.OidcProviderMetadataClaimNames;
import org.springframework.util.Assert;
import java.io.IOException;
import java.net.URL;
import java.util.Collection;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
/**
* A {@link HttpMessageConverter} for an {@link OidcProviderConfiguration OpenID Provider Configuration Metadata}.
* A {@link HttpMessageConverter} for an {@link OidcProviderConfiguration OpenID Provider Configuration Response}.
*
* @author Daniel Garnier-Moiroux
* @since 0.1.0
@ -50,9 +47,9 @@ import java.util.Set;
*/
public class OidcProviderConfigurationHttpMessageConverter
extends AbstractHttpMessageConverter<OidcProviderConfiguration> {
private static final ParameterizedTypeReference<Map<String, Object>> STRING_OBJECT_MAP =
new ParameterizedTypeReference<Map<String, Object>>() {
};
new ParameterizedTypeReference<Map<String, Object>>() {};
private final GenericHttpMessageConverter<Object> jsonMessageConverter = HttpMessageConverters.getJsonMessageConverter();
@ -73,7 +70,8 @@ public class OidcProviderConfigurationHttpMessageConverter
protected OidcProviderConfiguration readInternal(Class<? extends OidcProviderConfiguration> clazz, HttpInputMessage inputMessage)
throws HttpMessageNotReadableException {
try {
Map<String, Object> providerConfigurationParameters = (Map<String, Object>) this.jsonMessageConverter.read(STRING_OBJECT_MAP.getType(), null, inputMessage);
Map<String, Object> providerConfigurationParameters =
(Map<String, Object>) this.jsonMessageConverter.read(STRING_OBJECT_MAP.getType(), null, inputMessage);
return this.providerConfigurationConverter.convert(providerConfigurationParameters);
} catch (Exception ex) {
throw new HttpMessageNotReadableException(
@ -82,7 +80,8 @@ public class OidcProviderConfigurationHttpMessageConverter
}
@Override
protected void writeInternal(OidcProviderConfiguration providerConfiguration, HttpOutputMessage outputMessage) throws IOException, HttpMessageNotWritableException {
protected void writeInternal(OidcProviderConfiguration providerConfiguration, HttpOutputMessage outputMessage)
throws HttpMessageNotWritableException {
try {
Map<String, Object> providerConfigurationResponseParameters =
this.providerConfigurationParametersConverter.convert(providerConfiguration);
@ -98,6 +97,18 @@ public class OidcProviderConfigurationHttpMessageConverter
}
}
/**
* Sets the {@link Converter} used for converting the OpenID Provider Configuration parameters
* to an {@link OidcProviderConfiguration}.
*
* @param providerConfigurationConverter the {@link Converter} used for converting to an
* {@link OidcProviderConfiguration}
*/
public final void setProviderConfigurationConverter(Converter<Map<String, Object>, OidcProviderConfiguration> providerConfigurationConverter) {
Assert.notNull(providerConfigurationConverter, "providerConfigurationConverter cannot be null");
this.providerConfigurationConverter = providerConfigurationConverter;
}
/**
* Sets the {@link Converter} used for converting the {@link OidcProviderConfiguration} to a
* {@code Map} representation of the OpenID Provider Configuration.
@ -111,18 +122,6 @@ public class OidcProviderConfigurationHttpMessageConverter
this.providerConfigurationParametersConverter = providerConfigurationParametersConverter;
}
/**
* Sets the {@link Converter} used for converting the OpenID Provider Configuration parameters
* to an {@link OidcProviderConfiguration}.
*
* @param providerConfigurationConverter the {@link Converter} used for converting to an
* {@link OidcProviderConfiguration}
*/
public final void setProviderConfigurationConverter(Converter<Map<String, Object>, OidcProviderConfiguration> providerConfigurationConverter) {
Assert.notNull(providerConfigurationConverter, "providerConfigurationConverter cannot be null");
this.providerConfigurationConverter = providerConfigurationConverter;
}
private static final class OidcProviderConfigurationConverter implements Converter<Map<String, Object>, OidcProviderConfiguration> {
private static final ClaimConversionService CLAIM_CONVERSION_SERVICE = ClaimConversionService.getSharedInstance();
private static final TypeDescriptor OBJECT_TYPE_DESCRIPTOR = TypeDescriptor.valueOf(Object.class);
@ -130,22 +129,22 @@ public class OidcProviderConfigurationHttpMessageConverter
private static final TypeDescriptor URL_TYPE_DESCRIPTOR = TypeDescriptor.valueOf(URL.class);
private final ClaimTypeConverter claimTypeConverter;
OidcProviderConfigurationConverter() {
CLAIM_CONVERSION_SERVICE.addConverter(new ObjectToSetStringConverter2());
Map<String, Converter<Object, ?>> claimNameToConverter = new HashMap<>();
Converter<Object, ?> setStringConverter = getConverter(TypeDescriptor.collection(Set.class, STRING_TYPE_DESCRIPTOR));
private OidcProviderConfigurationConverter() {
Converter<Object, ?> collectionStringConverter = getConverter(
TypeDescriptor.collection(Collection.class, STRING_TYPE_DESCRIPTOR));
Converter<Object, ?> urlConverter = getConverter(URL_TYPE_DESCRIPTOR);
claimNameToConverter.put(OidcProviderMetadataClaimNames.ISSUER, urlConverter);
claimNameToConverter.put(OidcProviderMetadataClaimNames.AUTHORIZATION_ENDPOINT, urlConverter);
claimNameToConverter.put(OidcProviderMetadataClaimNames.TOKEN_ENDPOINT, urlConverter);
claimNameToConverter.put(OidcProviderMetadataClaimNames.JWKS_URI, urlConverter);
claimNameToConverter.put(OidcProviderMetadataClaimNames.GRANT_TYPES_SUPPORTED, setStringConverter);
claimNameToConverter.put(OidcProviderMetadataClaimNames.TOKEN_ENDPOINT_AUTH_METHODS_SUPPORTED, setStringConverter);
claimNameToConverter.put(OidcProviderMetadataClaimNames.SUBJECT_TYPES_SUPPORTED, setStringConverter);
claimNameToConverter.put(OidcProviderMetadataClaimNames.SCOPES_SUPPORTED, setStringConverter);
claimNameToConverter.put(OidcProviderMetadataClaimNames.RESPONSE_TYPES_SUPPORTED, setStringConverter);
this.claimTypeConverter = new ClaimTypeConverter(claimNameToConverter);
Map<String, Converter<Object, ?>> claimConverters = new HashMap<>();
claimConverters.put(OidcProviderMetadataClaimNames.ISSUER, urlConverter);
claimConverters.put(OidcProviderMetadataClaimNames.AUTHORIZATION_ENDPOINT, urlConverter);
claimConverters.put(OidcProviderMetadataClaimNames.TOKEN_ENDPOINT, urlConverter);
claimConverters.put(OidcProviderMetadataClaimNames.TOKEN_ENDPOINT_AUTH_METHODS_SUPPORTED, collectionStringConverter);
claimConverters.put(OidcProviderMetadataClaimNames.JWKS_URI, urlConverter);
claimConverters.put(OidcProviderMetadataClaimNames.RESPONSE_TYPES_SUPPORTED, collectionStringConverter);
claimConverters.put(OidcProviderMetadataClaimNames.GRANT_TYPES_SUPPORTED, collectionStringConverter);
claimConverters.put(OidcProviderMetadataClaimNames.SUBJECT_TYPES_SUPPORTED, collectionStringConverter);
claimConverters.put(OidcProviderMetadataClaimNames.SCOPES_SUPPORTED, collectionStringConverter);
this.claimTypeConverter = new ClaimTypeConverter(claimConverters);
}
@Override

View File

@ -15,57 +15,61 @@
*/
package org.springframework.security.oauth2.server.authorization.config;
import org.springframework.util.Assert;
import java.util.HashMap;
import java.util.Map;
/**
* A facility for OpenID Connect Provider Configuration settings.
* A facility for provider configuration settings.
*
* @author Daniel Garnier-Moiroux
* @since 0.1.0
* @see Settings
* @see <a target="_blank" href="https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata">OpenID Connect Discovery 1.0</a>
*/
public class ProviderSettings extends Settings {
private static final String PROVIDER_SETTING_BASE = "setting.provider.";
public static final String ISSUER = PROVIDER_SETTING_BASE.concat("issuer");
public static final String AUTHORIZATION_ENDPOINT = PROVIDER_SETTING_BASE.concat("authorization-endpoint");
public static final String TOKEN_ENDPOINT = PROVIDER_SETTING_BASE.concat("token-endpoint");
public static final String JWK_SET_ENDPOINT = PROVIDER_SETTING_BASE.concat("jwk-set-endpoint");
public static final String JWKS_ENDPOINT = PROVIDER_SETTING_BASE.concat("jwks-endpoint");
public static final String TOKEN_REVOCATION_ENDPOINT = PROVIDER_SETTING_BASE.concat("token-revocation-endpoint");
/**
* Constructs a {@code ProviderSettings}.
*/
public ProviderSettings() {
super(defaultSettings());
this(defaultSettings());
}
/**
* Returns the URL for the OpenID Issuer.
* Constructs a {@code ProviderSettings} using the provided parameters.
*
* @return the URL for the OpenID Issuer
* @param settings the initial settings
*/
public ProviderSettings(Map<String, Object> settings) {
super(settings);
}
/**
* Returns the URL of the Provider's Issuer Identifier
*
* @return the URL of the Provider's Issuer Identifier
*/
public String issuer() {
return setting(ISSUER);
}
/**
* Sets the URL the Provider uses as its Issuer Identity.
* Sets the URL the Provider uses as its Issuer Identifier.
*
* @param issuer the URL the Provider uses as its Issuer Identity.
* @param issuer the URL the Provider uses as its Issuer Identifier.
* @return the {@link ProviderSettings} for further configuration
*/
public ProviderSettings issuer(String issuer) {
Assert.notNull(issuer, "issuer cannot be null");
return setting(ISSUER, issuer);
}
/**
* Returns the provider's OAuth 2.0 Authorization endpoint. The default is {@code /oauth2/authorize}.
* Returns the Provider's OAuth 2.0 Authorization endpoint. The default is {@code /oauth2/authorize}.
*
* @return the Authorization endpoint
*/
@ -74,18 +78,17 @@ public class ProviderSettings extends Settings {
}
/**
* Sets the provider's OAuth 2.0 Authorization endpoint.
* Sets the Provider's OAuth 2.0 Authorization endpoint.
*
* @param authorizationEndpoint the Authorization endpoint
* @return the {@link ProviderSettings} for further configuration
*/
public ProviderSettings authorizationEndpoint(String authorizationEndpoint) {
Assert.hasText(authorizationEndpoint, "authorizationEndpoint cannot be empty");
return setting(AUTHORIZATION_ENDPOINT, authorizationEndpoint);
}
/**
* Returns the provider's OAuth 2.0 Token endpoint. The default is {@code /oauth2/token}.
* Returns the Provider's OAuth 2.0 Token endpoint. The default is {@code /oauth2/token}.
*
* @return the Token endpoint
*/
@ -94,38 +97,36 @@ public class ProviderSettings extends Settings {
}
/**
* Sets the provider's OAuth 2.0 Token endpoint.
* Sets the Provider's OAuth 2.0 Token endpoint.
*
* @param tokenEndpoint the Token endpoint
* @return the {@link ProviderSettings} for further configuration
*/
public ProviderSettings tokenEndpoint(String tokenEndpoint) {
Assert.hasText(tokenEndpoint, "tokenEndpoint cannot be empty");
return setting(TOKEN_ENDPOINT, tokenEndpoint);
}
/**
* Returns the provider's JWK Set endpoint. The default is {@code /oauth2/jwks}.
* Returns the Provider's JWK Set endpoint. The default is {@code /oauth2/jwks}.
*
* @return the JWK Set endpoint
*/
public String jwkSetEndpoint() {
return setting(JWK_SET_ENDPOINT);
public String jwksEndpoint() {
return setting(JWKS_ENDPOINT);
}
/**
* Sets the provider's OAuth 2.0 JWK Set endpoint.
* Sets the Provider's JWK Set endpoint.
*
* @param jwkSetEndpoint the JWK Set endpoint
* @param jwksEndpoint the JWK Set endpoint
* @return the {@link ProviderSettings} for further configuration
*/
public ProviderSettings jwkSetEndpoint(String jwkSetEndpoint) {
Assert.hasText(jwkSetEndpoint, "jwkSetEndpoint cannot be empty");
return setting(JWK_SET_ENDPOINT, jwkSetEndpoint);
public ProviderSettings jwksEndpoint(String jwksEndpoint) {
return setting(JWKS_ENDPOINT, jwksEndpoint);
}
/**
* Returns the provider's Token Revocation endpoint. The default is {@code /oauth2/revoke}.
* Returns the Provider's OAuth 2.0 Token Revocation endpoint. The default is {@code /oauth2/revoke}.
*
* @return the Token Revocation endpoint
*/
@ -134,13 +135,12 @@ public class ProviderSettings extends Settings {
}
/**
* Sets the provider's OAuth 2.0 Token Revocation endpoint.
* Sets the Provider's OAuth 2.0 Token Revocation endpoint.
*
* @param tokenRevocationEndpoint the Token Revocation endpoint
* @return the {@link ProviderSettings} for further configuration
*/
public ProviderSettings tokenRevocationEndpoint(String tokenRevocationEndpoint) {
Assert.hasText(tokenRevocationEndpoint, "tokenRevocationEndpoint cannot be empty");
return setting(TOKEN_REVOCATION_ENDPOINT, tokenRevocationEndpoint);
}
@ -148,7 +148,7 @@ public class ProviderSettings extends Settings {
Map<String, Object> settings = new HashMap<>();
settings.put(AUTHORIZATION_ENDPOINT, "/oauth2/authorize");
settings.put(TOKEN_ENDPOINT, "/oauth2/token");
settings.put(JWK_SET_ENDPOINT, "/oauth2/jwks");
settings.put(JWKS_ENDPOINT, "/oauth2/jwks");
settings.put(TOKEN_REVOCATION_ENDPOINT, "/oauth2/revoke");
return settings;
}

View File

@ -20,9 +20,9 @@ import org.springframework.http.MediaType;
import org.springframework.http.server.ServletServerHttpResponse;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationResponseType;
import org.springframework.security.oauth2.core.http.converter.OidcProviderConfigurationHttpMessageConverter;
import org.springframework.security.oauth2.core.oidc.OidcProviderConfiguration;
import org.springframework.security.oauth2.core.oidc.OidcScopes;
import org.springframework.security.oauth2.core.oidc.http.converter.OidcProviderConfigurationHttpMessageConverter;
import org.springframework.security.oauth2.server.authorization.config.ProviderSettings;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
@ -37,12 +37,13 @@ import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
/**
* A {@code Filter} that processes OpenID Provider Configuration Request.
* A {@code Filter} that processes OpenID Provider Configuration Requests.
*
* @author Daniel Garnier-Moiroux
* @since 0.1.0
* @see OidcProviderConfiguration
* @see ProviderSettings
* @see <a target="_blank" href="https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig">OpenID Connect Discovery 1.0</a>
* @see <a target="_blank" href="https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationRequest">4.1. OpenID Provider Configuration Request</a>
*/
public class OidcProviderConfigurationEndpointFilter extends OncePerRequestFilter {
/**
@ -50,22 +51,24 @@ public class OidcProviderConfigurationEndpointFilter extends OncePerRequestFilte
*/
public static final String DEFAULT_OIDC_PROVIDER_CONFIGURATION_ENDPOINT_URI = "/.well-known/openid-configuration";
private final RequestMatcher requestMatcher;
private final ProviderSettings providerSettings;
private final OidcProviderConfigurationHttpMessageConverter providerConfigurationHttpMessageConverter = new OidcProviderConfigurationHttpMessageConverter();
private final RequestMatcher requestMatcher;
private final OidcProviderConfigurationHttpMessageConverter providerConfigurationHttpMessageConverter =
new OidcProviderConfigurationHttpMessageConverter();
public OidcProviderConfigurationEndpointFilter(ProviderSettings providerSettings) {
Assert.notNull(providerSettings, "providerSettings cannot be null");
this.providerSettings = providerSettings;
this.requestMatcher = new AntPathRequestMatcher(
DEFAULT_OIDC_PROVIDER_CONFIGURATION_ENDPOINT_URI,
HttpMethod.GET.name()
);
this.providerSettings = providerSettings;
}
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
if (!this.requestMatcher.matches(request)) {
filterChain.doFilter(request, response);
return;
@ -75,20 +78,23 @@ public class OidcProviderConfigurationEndpointFilter extends OncePerRequestFilte
.issuer(this.providerSettings.issuer())
.authorizationEndpoint(asUrl(this.providerSettings.issuer(), this.providerSettings.authorizationEndpoint()))
.tokenEndpoint(asUrl(this.providerSettings.issuer(), this.providerSettings.tokenEndpoint()))
.jwksUri(asUrl(this.providerSettings.issuer(), this.providerSettings.jwkSetEndpoint()))
.subjectType("public")
.tokenEndpointAuthenticationMethod("client_secret_basic") // TODO: Use ClientAuthenticationMethod.CLIENT_SECRET_BASIC in Spring Security 5.5.0
.tokenEndpointAuthenticationMethod("client_secret_post") // TODO: Use ClientAuthenticationMethod.CLIENT_SECRET_POST in Spring Security 5.5.0
.jwksUri(asUrl(this.providerSettings.issuer(), this.providerSettings.jwksEndpoint()))
.responseType(OAuth2AuthorizationResponseType.CODE.getValue())
.scope(OidcScopes.OPENID)
.grantType(AuthorizationGrantType.AUTHORIZATION_CODE.getValue())
.grantType(AuthorizationGrantType.CLIENT_CREDENTIALS.getValue())
.tokenEndpointAuthenticationMethod("client_secret_basic") // TODO: move this ClientAuthenticationMethod
.grantType(AuthorizationGrantType.REFRESH_TOKEN.getValue())
.subjectType("public")
.scope(OidcScopes.OPENID)
.build();
ServletServerHttpResponse resp = new ServletServerHttpResponse(response);
this.providerConfigurationHttpMessageConverter.write(providerConfiguration, MediaType.APPLICATION_JSON, resp);
ServletServerHttpResponse httpResponse = new ServletServerHttpResponse(response);
this.providerConfigurationHttpMessageConverter.write(
providerConfiguration, MediaType.APPLICATION_JSON, httpResponse);
}
private String asUrl(String issuer, String endpoint) {
private static String asUrl(String issuer, String endpoint) {
return UriComponentsBuilder.fromUriString(issuer).path(endpoint).build().toUriString();
}
}

View File

@ -24,13 +24,11 @@ import org.springframework.security.config.annotation.web.configuration.EnableWe
import org.springframework.security.config.annotation.web.configuration.OAuth2AuthorizationServerConfiguration;
import org.springframework.security.config.test.SpringTestRule;
import org.springframework.security.crypto.key.CryptoKeySource;
import org.springframework.security.crypto.key.StaticKeyGeneratingCryptoKeySource;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
import org.springframework.security.oauth2.server.authorization.config.ProviderSettings;
import org.springframework.security.oauth2.server.authorization.web.OidcProviderConfigurationEndpointFilter;
import org.springframework.test.web.servlet.MockMvc;
import org.springframework.test.web.servlet.MvcResult;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatThrownBy;
@ -40,7 +38,7 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
/**
* Integration tests for the OpenID Connect.
* Integration tests for OpenID Connect 1.0.
*
* @author Daniel Garnier-Moiroux
*/
@ -54,17 +52,17 @@ public class OidcTests {
private MockMvc mvc;
@Test
public void requestWhenIssuerSetAndOpenIDProviderConfigurationRequestThenReturnProviderConfigurationResponse() throws Exception {
public void requestWhenConfigurationRequestAndIssuerSetThenReturnConfigurationResponse() throws Exception {
this.spring.register(AuthorizationServerConfigurationWithIssuer.class).autowire();
this.mvc.perform(MockMvcRequestBuilders.get(OidcProviderConfigurationEndpointFilter.DEFAULT_OIDC_PROVIDER_CONFIGURATION_ENDPOINT_URI))
this.mvc.perform(get(OidcProviderConfigurationEndpointFilter.DEFAULT_OIDC_PROVIDER_CONFIGURATION_ENDPOINT_URI))
.andExpect(status().is2xxSuccessful())
.andExpect(jsonPath("issuer").value(issuerUrl))
.andReturn();
}
@Test
public void requestWhenIssuerNotSetAndOpenIDProviderConfigurationRequestThenRedirectsToLogin() throws Exception {
public void requestWhenConfigurationRequestAndIssuerNotSetThenRedirectToLogin() throws Exception {
this.spring.register(AuthorizationServerConfiguration.class).autowire();
MvcResult mvcResult = this.mvc.perform(get(OidcProviderConfigurationEndpointFilter.DEFAULT_OIDC_PROVIDER_CONFIGURATION_ENDPOINT_URI))
@ -74,16 +72,16 @@ public class OidcTests {
}
@Test
public void requestWhenIssuerNotValidUrlThenThrowException() {
public void loadContextWhenIssuerNotValidUrlThenThrowException() {
assertThatThrownBy(
() -> this.spring.register(AuthorizationServerConfigurationWithInvalidUrlIssuer.class).autowire()
() -> this.spring.register(AuthorizationServerConfigurationWithInvalidIssuerUrl.class).autowire()
);
}
@Test
public void requestWhenIssuerNotValidUriThenThrowException() {
public void loadContextWhenIssuerNotValidUriThenThrowException() {
assertThatThrownBy(
() -> this.spring.register(AuthorizationServerConfigurationWithInvalidUriIssuer.class).autowire()
() -> this.spring.register(AuthorizationServerConfigurationWithInvalidIssuerUri.class).autowire()
);
}
@ -98,20 +96,15 @@ public class OidcTests {
@Bean
CryptoKeySource keySource() {
return new StaticKeyGeneratingCryptoKeySource();
}
@Bean
ProviderSettings providerSettings() {
return new ProviderSettings();
return mock(CryptoKeySource.class);
}
}
@EnableWebSecurity
@Import(OAuth2AuthorizationServerConfiguration.class)
static class AuthorizationServerConfigurationWithIssuer extends AuthorizationServerConfiguration {
@Bean
@Override
ProviderSettings providerSettings() {
return new ProviderSettings().issuer(issuerUrl);
}
@ -119,9 +112,9 @@ public class OidcTests {
@EnableWebSecurity
@Import(OAuth2AuthorizationServerConfiguration.class)
static class AuthorizationServerConfigurationWithInvalidUrlIssuer extends AuthorizationServerConfiguration {
static class AuthorizationServerConfigurationWithInvalidIssuerUrl extends AuthorizationServerConfiguration {
@Bean
@Override
ProviderSettings providerSettings() {
return new ProviderSettings().issuer("urn:example");
}
@ -129,9 +122,9 @@ public class OidcTests {
@EnableWebSecurity
@Import(OAuth2AuthorizationServerConfiguration.class)
static class AuthorizationServerConfigurationWithInvalidUriIssuer extends AuthorizationServerConfiguration {
static class AuthorizationServerConfigurationWithInvalidIssuerUri extends AuthorizationServerConfiguration {
@Bean
@Override
ProviderSettings providerSettings() {
return new ProviderSettings().issuer("https://not a valid uri");
}

View File

@ -1,76 +0,0 @@
/*
* Copyright 2020 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.oauth2.core.converter;
import org.junit.Test;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.Set;
import static org.assertj.core.api.Assertions.assertThat;
/**
* TODO
* This class is temporary and will be removed after upgrading to Spring Security 5.5.0 GA.
* These tests will probably be folded into tests for {@link ClaimConversionService}.
*
* Tests for {@link ObjectToSetStringConverter2}.
*
* @author Daniel Garnier-Moiroux
*/
public class ObjectToSetStringConverter2Test {
@Test
@SuppressWarnings("unchecked")
public void convertFromNullThenReturnNull() {
ObjectToSetStringConverter2 converter = new ObjectToSetStringConverter2();
Set<String> result = (Set<String>) converter.convert(null, null, null);
assertThat(result).isNull();
}
@Test
@SuppressWarnings("unchecked")
public void convertFromStringThenReturnSet() {
ObjectToSetStringConverter2 converter = new ObjectToSetStringConverter2();
Set<String> result = (Set<String>) converter.convert("Hello", null, null);
assertThat(result).containsExactly("Hello");
}
@Test
@SuppressWarnings("unchecked")
public void convertFromSetThenReturnSet() {
ObjectToSetStringConverter2 converter = new ObjectToSetStringConverter2();
Set<String> result = (Set<String>) converter.convert(new HashSet<>(Arrays.asList("Hello", "world")), null, null);
assertThat(result).containsExactlyInAnyOrder("Hello", "world");
}
@Test
@SuppressWarnings("unchecked")
public void convertFromCollectionThenReturnSet() {
ObjectToSetStringConverter2 converter = new ObjectToSetStringConverter2();
Set<String> result = (Set<String>) converter.convert(Arrays.asList("Hello", "world"), null, null);
assertThat(result).containsExactlyInAnyOrder("Hello", "world");
}
@Test
@SuppressWarnings("unchecked")
public void convertFromEmptyCollectionThenReturnEmptySet() {
ObjectToSetStringConverter2 converter = new ObjectToSetStringConverter2();
Set<String> result = (Set<String>) converter.convert(Collections.emptyList(), null, null);
assertThat(result).isEmpty();
}
}

View File

@ -17,11 +17,12 @@ package org.springframework.security.oauth2.core.oidc;
import org.junit.Test;
import java.net.MalformedURLException;
import java.net.URL;
import java.util.Collections;
import java.util.HashMap;
import java.util.LinkedHashSet;
import java.util.Map;
import java.util.Set;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatThrownBy;
@ -54,7 +55,7 @@ public class OidcProviderConfigurationTests {
.grantType("authorization_code")
.grantType("client_credentials")
.subjectType("public")
.tokenEndpointAuthenticationMethod("basic")
.tokenEndpointAuthenticationMethod("client_secret_basic")
.claim("a-claim", "a-value")
.build();
@ -66,8 +67,8 @@ public class OidcProviderConfigurationTests {
assertThat(providerConfiguration.getResponseTypes()).containsExactly("code");
assertThat(providerConfiguration.getGrantTypes()).containsExactlyInAnyOrder("authorization_code", "client_credentials");
assertThat(providerConfiguration.getSubjectTypes()).containsExactly("public");
assertThat(providerConfiguration.getTokenEndpointAuthenticationMethods()).containsExactly("basic");
assertThat(providerConfiguration.getClaimAsString("a-claim")).isEqualTo("a-value");
assertThat(providerConfiguration.getTokenEndpointAuthenticationMethods()).containsExactly("client_secret_basic");
assertThat(providerConfiguration.<String>getClaim("a-claim")).isEqualTo("a-value");
}
@Test
@ -94,15 +95,15 @@ public class OidcProviderConfigurationTests {
}
@Test
public void buildFromClaimsThenCreated() {
HashMap<String, Object> claims = new HashMap<>();
public void buildWhenClaimsProvidedThenCreated() {
Map<String, Object> claims = new HashMap<>();
claims.put(OidcProviderMetadataClaimNames.ISSUER, "https://example.com/issuer1");
claims.put(OidcProviderMetadataClaimNames.AUTHORIZATION_ENDPOINT, "https://example.com/issuer1/oauth2/authorize");
claims.put(OidcProviderMetadataClaimNames.TOKEN_ENDPOINT, "https://example.com/issuer1/oauth2/token");
claims.put(OidcProviderMetadataClaimNames.JWKS_URI, "https://example.com/issuer1/oauth2/jwks");
claims.put(OidcProviderMetadataClaimNames.SCOPES_SUPPORTED, Collections.singleton("openid"));
claims.put(OidcProviderMetadataClaimNames.RESPONSE_TYPES_SUPPORTED, Collections.singleton("code"));
claims.put(OidcProviderMetadataClaimNames.SUBJECT_TYPES_SUPPORTED, Collections.singleton("public"));
claims.put(OidcProviderMetadataClaimNames.SCOPES_SUPPORTED, Collections.singletonList("openid"));
claims.put(OidcProviderMetadataClaimNames.RESPONSE_TYPES_SUPPORTED, Collections.singletonList("code"));
claims.put(OidcProviderMetadataClaimNames.SUBJECT_TYPES_SUPPORTED, Collections.singletonList("public"));
claims.put("some-claim", "some-value");
OidcProviderConfiguration providerConfiguration = OidcProviderConfiguration.withClaims(claims).build();
@ -116,19 +117,19 @@ public class OidcProviderConfigurationTests {
assertThat(providerConfiguration.getGrantTypes()).isNull();
assertThat(providerConfiguration.getSubjectTypes()).containsExactly("public");
assertThat(providerConfiguration.getTokenEndpointAuthenticationMethods()).isNull();
assertThat(providerConfiguration.getClaimAsString("some-claim")).isEqualTo("some-value");
assertThat(providerConfiguration.<String>getClaim("some-claim")).isEqualTo("some-value");
}
@Test
public void buildFromClaimsWhenUsingUrlsThenCreated() {
HashMap<String, Object> claims = new HashMap<>();
public void buildWhenClaimsProvidedWithUrlsThenCreated() {
Map<String, Object> claims = new HashMap<>();
claims.put(OidcProviderMetadataClaimNames.ISSUER, url("https://example.com/issuer1"));
claims.put(OidcProviderMetadataClaimNames.AUTHORIZATION_ENDPOINT, url("https://example.com/issuer1/oauth2/authorize"));
claims.put(OidcProviderMetadataClaimNames.TOKEN_ENDPOINT, url("https://example.com/issuer1/oauth2/token"));
claims.put(OidcProviderMetadataClaimNames.JWKS_URI, url("https://example.com/issuer1/oauth2/jwks"));
claims.put(OidcProviderMetadataClaimNames.SCOPES_SUPPORTED, Collections.singleton("openid"));
claims.put(OidcProviderMetadataClaimNames.RESPONSE_TYPES_SUPPORTED, Collections.singleton("code"));
claims.put(OidcProviderMetadataClaimNames.SUBJECT_TYPES_SUPPORTED, Collections.singleton("public"));
claims.put(OidcProviderMetadataClaimNames.SCOPES_SUPPORTED, Collections.singletonList("openid"));
claims.put(OidcProviderMetadataClaimNames.RESPONSE_TYPES_SUPPORTED, Collections.singletonList("code"));
claims.put(OidcProviderMetadataClaimNames.SUBJECT_TYPES_SUPPORTED, Collections.singletonList("public"));
claims.put("some-claim", "some-value");
OidcProviderConfiguration providerConfiguration = OidcProviderConfiguration.withClaims(claims).build();
@ -142,45 +143,46 @@ public class OidcProviderConfigurationTests {
assertThat(providerConfiguration.getGrantTypes()).isNull();
assertThat(providerConfiguration.getSubjectTypes()).containsExactly("public");
assertThat(providerConfiguration.getTokenEndpointAuthenticationMethods()).isNull();
assertThat(providerConfiguration.getClaimAsString("some-claim")).isEqualTo("some-value");
assertThat(providerConfiguration.<String>getClaim("some-claim")).isEqualTo("some-value");
}
@Test
public void withClaimsWhenNullThenThrowsException() {
public void withClaimsWhenNullThenThrowIllegalArgumentException() {
assertThatThrownBy(() -> OidcProviderConfiguration.withClaims(null))
.isInstanceOf(IllegalArgumentException.class);
}
@Test
public void withClaimsWhenMissingRequiredClaimsThenThrowsException() {
public void withClaimsWhenMissingRequiredClaimsThenThrowIllegalArgumentException() {
assertThatThrownBy(() -> OidcProviderConfiguration.withClaims(Collections.emptyMap()))
.isInstanceOf(IllegalArgumentException.class);
.isInstanceOf(IllegalArgumentException.class)
.hasMessage("claims cannot be empty");
}
@Test
public void buildWhenCalledTwiceThenGeneratesTwoConfigurations() {
OidcProviderConfiguration first = minimalConfigurationBuilder
OidcProviderConfiguration first = this.minimalConfigurationBuilder
.grantType("client_credentials")
.build();
OidcProviderConfiguration second = minimalConfigurationBuilder
OidcProviderConfiguration second = this.minimalConfigurationBuilder
.claims((claims) ->
{
LinkedHashSet<String> newGrantTypes = new LinkedHashSet<>();
Set<String> newGrantTypes = new LinkedHashSet<>();
newGrantTypes.add("authorization_code");
newGrantTypes.add("implicit");
newGrantTypes.add("custom_grant");
claims.put(OidcProviderMetadataClaimNames.GRANT_TYPES_SUPPORTED, newGrantTypes);
}
)
.build();
assertThat(first.getGrantTypes()).containsExactly("client_credentials");
assertThat(second.getGrantTypes()).containsExactlyInAnyOrder("authorization_code", "implicit");
assertThat(second.getGrantTypes()).containsExactlyInAnyOrder("authorization_code", "custom_grant");
}
@Test
public void buildWhenMissingIssuerThenThrowsException() {
OidcProviderConfiguration.Builder builder = minimalConfigurationBuilder
public void buildWhenMissingIssuerThenThrowIllegalArgumentException() {
OidcProviderConfiguration.Builder builder = this.minimalConfigurationBuilder
.claims((claims) -> claims.remove(OidcProviderMetadataClaimNames.ISSUER));
assertThatThrownBy(builder::build)
@ -189,18 +191,18 @@ public class OidcProviderConfigurationTests {
}
@Test
public void buildWhenIssuerIsNotAnUrlThenThrowsException() {
OidcProviderConfiguration.Builder builder = minimalConfigurationBuilder
public void buildWhenIssuerNotUrlThenThrowIllegalArgumentException() {
OidcProviderConfiguration.Builder builder = this.minimalConfigurationBuilder
.claims((claims) -> claims.put(OidcProviderMetadataClaimNames.ISSUER, "not an url"));
assertThatThrownBy(builder::build)
.isInstanceOf(IllegalArgumentException.class)
.hasMessageStartingWith("issuer must be a valid URL");
.hasMessage("issuer must be a valid URL");
}
@Test
public void buildWhenMissingAuthorizationEndpointThenThrowsException() {
OidcProviderConfiguration.Builder builder = minimalConfigurationBuilder
public void buildWhenMissingAuthorizationEndpointThenThrowIllegalArgumentException() {
OidcProviderConfiguration.Builder builder = this.minimalConfigurationBuilder
.claims((claims) -> claims.remove(OidcProviderMetadataClaimNames.AUTHORIZATION_ENDPOINT));
assertThatThrownBy(builder::build)
@ -209,8 +211,8 @@ public class OidcProviderConfigurationTests {
}
@Test
public void buildWhenAuthorizationEndpointIsNotAnUrlThenThrowsException() {
OidcProviderConfiguration.Builder builder = minimalConfigurationBuilder
public void buildWhenAuthorizationEndpointNotUrlThenThrowIllegalArgumentException() {
OidcProviderConfiguration.Builder builder = this.minimalConfigurationBuilder
.claims((claims) -> claims.put(OidcProviderMetadataClaimNames.AUTHORIZATION_ENDPOINT, "not an url"));
assertThatThrownBy(builder::build)
@ -219,8 +221,8 @@ public class OidcProviderConfigurationTests {
}
@Test
public void buildWhenMissingTokenEndpointThenThrowsException() {
OidcProviderConfiguration.Builder builder = minimalConfigurationBuilder
public void buildWhenMissingTokenEndpointThenThrowIllegalArgumentException() {
OidcProviderConfiguration.Builder builder = this.minimalConfigurationBuilder
.claims((claims) -> claims.remove(OidcProviderMetadataClaimNames.TOKEN_ENDPOINT));
assertThatThrownBy(builder::build)
@ -229,8 +231,8 @@ public class OidcProviderConfigurationTests {
}
@Test
public void buildWhenTokenEndpointIsNotAnUrlThenThrowsException() {
OidcProviderConfiguration.Builder builder = minimalConfigurationBuilder
public void buildWhenTokenEndpointNotUrlThenThrowIllegalArgumentException() {
OidcProviderConfiguration.Builder builder = this.minimalConfigurationBuilder
.claims((claims) -> claims.put(OidcProviderMetadataClaimNames.TOKEN_ENDPOINT, "not an url"));
assertThatThrownBy(builder::build)
@ -239,48 +241,100 @@ public class OidcProviderConfigurationTests {
}
@Test
public void buildWhenMissingJwksUriThenThrowsException() {
OidcProviderConfiguration.Builder builder = minimalConfigurationBuilder
public void buildWhenMissingJwksUriThenThrowIllegalArgumentException() {
OidcProviderConfiguration.Builder builder = this.minimalConfigurationBuilder
.claims((claims) -> claims.remove(OidcProviderMetadataClaimNames.JWKS_URI));
assertThatThrownBy(builder::build)
.isInstanceOf(IllegalArgumentException.class)
.hasMessage("jwkSetUri cannot be null");
.hasMessage("jwksUri cannot be null");
}
@Test
public void buildWheJwksUriIsNotAnUrlThenThrowsException() {
OidcProviderConfiguration.Builder builder = minimalConfigurationBuilder
public void buildWhenJwksUriNotUrlThenThrowIllegalArgumentException() {
OidcProviderConfiguration.Builder builder = this.minimalConfigurationBuilder
.claims((claims) -> claims.put(OidcProviderMetadataClaimNames.JWKS_URI, "not an url"));
assertThatThrownBy(builder::build)
.isInstanceOf(IllegalArgumentException.class)
.hasMessageStartingWith("jwkSetUri must be a valid URL");
.hasMessageStartingWith("jwksUri must be a valid URL");
}
@Test
public void buildWhenMissingResponseTypesThenThrowsException() {
OidcProviderConfiguration.Builder builder = minimalConfigurationBuilder
public void buildWhenMissingResponseTypesThenThrowIllegalArgumentException() {
OidcProviderConfiguration.Builder builder = this.minimalConfigurationBuilder
.claims((claims) -> claims.remove(OidcProviderMetadataClaimNames.RESPONSE_TYPES_SUPPORTED));
assertThatThrownBy(builder::build)
.isInstanceOf(IllegalArgumentException.class)
.hasMessage("responseTypes cannot be empty");
.hasMessage("responseTypes cannot be null");
}
@Test
public void buildWhenMissingSubjectTypesThenThrowsException() {
OidcProviderConfiguration.Builder builder = minimalConfigurationBuilder
public void buildWhenResponseTypesNotListThenThrowIllegalArgumentException() {
OidcProviderConfiguration.Builder builder = this.minimalConfigurationBuilder
.claims((claims) -> {
claims.remove(OidcProviderMetadataClaimNames.RESPONSE_TYPES_SUPPORTED);
claims.put(OidcProviderMetadataClaimNames.RESPONSE_TYPES_SUPPORTED, "code");
});
assertThatThrownBy(builder::build)
.isInstanceOf(IllegalArgumentException.class)
.hasMessageContaining("responseTypes must be of type List");
}
@Test
public void buildWhenResponseTypesEmptyListThenThrowIllegalArgumentException() {
OidcProviderConfiguration.Builder builder = this.minimalConfigurationBuilder
.claims((claims) -> {
claims.remove(OidcProviderMetadataClaimNames.RESPONSE_TYPES_SUPPORTED);
claims.put(OidcProviderMetadataClaimNames.RESPONSE_TYPES_SUPPORTED, Collections.emptyList());
});
assertThatThrownBy(builder::build)
.isInstanceOf(IllegalArgumentException.class)
.hasMessageContaining("responseTypes cannot be empty");
}
@Test
public void buildWhenMissingSubjectTypesThenThrowIllegalArgumentException() {
OidcProviderConfiguration.Builder builder = this.minimalConfigurationBuilder
.claims((claims) -> claims.remove(OidcProviderMetadataClaimNames.SUBJECT_TYPES_SUPPORTED));
assertThatThrownBy(builder::build)
.isInstanceOf(IllegalArgumentException.class)
.hasMessage("subjectTypes cannot be empty");
.hasMessage("subjectTypes cannot be null");
}
@Test
public void buildWhenSubjectTypesNotListThenThrowIllegalArgumentException() {
OidcProviderConfiguration.Builder builder = this.minimalConfigurationBuilder
.claims((claims) -> {
claims.remove(OidcProviderMetadataClaimNames.SUBJECT_TYPES_SUPPORTED);
claims.put(OidcProviderMetadataClaimNames.SUBJECT_TYPES_SUPPORTED, "public");
});
assertThatThrownBy(builder::build)
.isInstanceOf(IllegalArgumentException.class)
.hasMessageContaining("subjectTypes must be of type List");
}
@Test
public void buildWhenSubjectTypesEmptyListThenThrowIllegalArgumentException() {
OidcProviderConfiguration.Builder builder = this.minimalConfigurationBuilder
.claims((claims) -> {
claims.remove(OidcProviderMetadataClaimNames.SUBJECT_TYPES_SUPPORTED);
claims.put(OidcProviderMetadataClaimNames.SUBJECT_TYPES_SUPPORTED, Collections.emptyList());
});
assertThatThrownBy(builder::build)
.isInstanceOf(IllegalArgumentException.class)
.hasMessageContaining("subjectTypes cannot be empty");
}
@Test
public void responseTypesWhenAddingOrRemovingThenCorrectValues() {
OidcProviderConfiguration configuration = minimalConfigurationBuilder
OidcProviderConfiguration configuration = this.minimalConfigurationBuilder
.responseType("should-be-removed")
.responseTypes(responseTypes -> {
responseTypes.clear();
@ -293,7 +347,7 @@ public class OidcProviderConfigurationTests {
@Test
public void responseTypesWhenNotPresentAndAddingThenCorrectValues() {
OidcProviderConfiguration configuration = minimalConfigurationBuilder
OidcProviderConfiguration configuration = this.minimalConfigurationBuilder
.claims(claims -> claims.remove(OidcProviderMetadataClaimNames.RESPONSE_TYPES_SUPPORTED))
.responseTypes(responseTypes -> responseTypes.add("some-response-type"))
.build();
@ -303,7 +357,7 @@ public class OidcProviderConfigurationTests {
@Test
public void subjectTypesWhenAddingOrRemovingThenCorrectValues() {
OidcProviderConfiguration configuration = minimalConfigurationBuilder
OidcProviderConfiguration configuration = this.minimalConfigurationBuilder
.subjectType("should-be-removed")
.subjectTypes(subjectTypes -> {
subjectTypes.clear();
@ -316,7 +370,7 @@ public class OidcProviderConfigurationTests {
@Test
public void scopesWhenAddingOrRemovingThenCorrectValues() {
OidcProviderConfiguration configuration = minimalConfigurationBuilder
OidcProviderConfiguration configuration = this.minimalConfigurationBuilder
.scope("should-be-removed")
.scopes(scopes -> {
scopes.clear();
@ -329,7 +383,7 @@ public class OidcProviderConfigurationTests {
@Test
public void grantTypesWhenAddingOrRemovingThenCorrectValues() {
OidcProviderConfiguration configuration = minimalConfigurationBuilder
OidcProviderConfiguration configuration = this.minimalConfigurationBuilder
.grantType("should-be-removed")
.grantTypes(grantTypes -> {
grantTypes.clear();
@ -342,7 +396,7 @@ public class OidcProviderConfigurationTests {
@Test
public void tokenEndpointAuthenticationMethodsWhenAddingOrRemovingThenCorrectValues() {
OidcProviderConfiguration configuration = minimalConfigurationBuilder
OidcProviderConfiguration configuration = this.minimalConfigurationBuilder
.tokenEndpointAuthenticationMethod("should-be-removed")
.tokenEndpointAuthenticationMethods(authMethods -> {
authMethods.clear();
@ -355,24 +409,22 @@ public class OidcProviderConfigurationTests {
@Test
public void claimWhenNameIsNullThenThrowIllegalArgumentException() {
OidcProviderConfiguration.Builder builder = OidcProviderConfiguration.withClaims();
assertThatThrownBy(() -> builder.claim(null, "value"))
assertThatThrownBy(() -> OidcProviderConfiguration.withClaims().claim(null, "value"))
.isInstanceOf(IllegalArgumentException.class)
.hasMessage("name cannot be empty");
}
@Test
public void claimWhenValueIsNullThenThrowIllegalArgumentException() {
OidcProviderConfiguration.Builder builder = OidcProviderConfiguration.withClaims();
assertThatThrownBy(() -> builder.claim("claim-name", null))
assertThatThrownBy(() -> OidcProviderConfiguration.withClaims().claim("claim-name", null))
.isInstanceOf(IllegalArgumentException.class)
.hasMessage("value cannot be null");
}
@Test
public void claimsWhenRemovingAClaimThenIsNotPresent() {
public void claimsWhenRemovingClaimThenNotPresent() {
OidcProviderConfiguration configuration =
minimalConfigurationBuilder
this.minimalConfigurationBuilder
.grantType("some-grant-type")
.claims((claims) -> claims.remove(OidcProviderMetadataClaimNames.GRANT_TYPES_SUPPORTED))
.build();
@ -380,9 +432,9 @@ public class OidcProviderConfigurationTests {
}
@Test
public void claimsWhenAddingAClaimThenIsPresent() {
public void claimsWhenAddingClaimThenPresent() {
OidcProviderConfiguration configuration =
minimalConfigurationBuilder
this.minimalConfigurationBuilder
.claims((claims) -> claims.put(OidcProviderMetadataClaimNames.GRANT_TYPES_SUPPORTED, "authorization_code"))
.build();
assertThat(configuration.getGrantTypes()).containsExactly("authorization_code");
@ -391,7 +443,7 @@ public class OidcProviderConfigurationTests {
private static URL url(String urlString) {
try {
return new URL(urlString);
} catch (MalformedURLException e) {
} catch (Exception ex) {
throw new IllegalArgumentException("urlString must be a valid URL and valid URI");
}
}

View File

@ -13,7 +13,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.oauth2.core.http.converter;
package org.springframework.security.oauth2.core.oidc.http.converter;
import org.junit.Test;
import org.springframework.core.convert.converter.Converter;
@ -24,7 +24,6 @@ import org.springframework.mock.http.MockHttpOutputMessage;
import org.springframework.mock.http.client.MockClientHttpResponse;
import org.springframework.security.oauth2.core.oidc.OidcProviderConfiguration;
import java.net.MalformedURLException;
import java.net.URL;
import java.util.Arrays;
import java.util.Map;
@ -48,17 +47,17 @@ public class OidcProviderConfigurationHttpMessageConverterTests {
}
@Test
public void setProviderConfigurationParametersConverterWhenConverterIsNullThenThrowIllegalArgumentException() {
public void setProviderConfigurationParametersConverterWhenNullThenThrowIllegalArgumentException() {
assertThatIllegalArgumentException().isThrownBy(() -> this.messageConverter.setProviderConfigurationParametersConverter(null));
}
@Test
public void setProviderConfigurationConverterWhenConverterIsNullThenThrowIllegalArgumentException() {
public void setProviderConfigurationConverterWhenNullThenThrowIllegalArgumentException() {
assertThatIllegalArgumentException().isThrownBy(() -> this.messageConverter.setProviderConfigurationConverter(null));
}
@Test
public void readInternalWhenSuccessfulProviderConfigurationOnlyRequiredParametersThenReadOidcProviderConfiguration() throws Exception {
public void readInternalWhenRequiredParametersThenSuccess() throws Exception {
// @formatter:off
String providerConfigurationResponse = "{\n"
+ " \"issuer\": \"https://example.com/issuer1\",\n"
@ -85,7 +84,7 @@ public class OidcProviderConfigurationHttpMessageConverterTests {
}
@Test
public void readInternalWhenSuccessfulProviderConfigurationThenReadOidcProviderConfiguration() throws Exception {
public void readInternalWhenValidParametersThenSuccess() throws Exception {
// @formatter:off
String providerConfigurationResponse = "{\n"
+ " \"issuer\": \"https://example.com/issuer1\",\n"
@ -96,7 +95,7 @@ public class OidcProviderConfigurationHttpMessageConverterTests {
+ " \"response_types_supported\": [\"code\"],\n"
+ " \"grant_types_supported\": [\"authorization_code\", \"client_credentials\"],\n"
+ " \"subject_types_supported\": [\"public\"],\n"
+ " \"token_endpoint_auth_methods_supported\": [\"basic\"],\n"
+ " \"token_endpoint_auth_methods_supported\": [\"client_secret_basic\"],\n"
+ " \"custom_claim\": \"value\",\n"
+ " \"custom_collection_claim\": [\"value1\", \"value2\"]\n"
+ "}\n";
@ -113,8 +112,8 @@ public class OidcProviderConfigurationHttpMessageConverterTests {
assertThat(providerConfiguration.getResponseTypes()).containsExactly("code");
assertThat(providerConfiguration.getGrantTypes()).containsExactlyInAnyOrder("authorization_code", "client_credentials");
assertThat(providerConfiguration.getSubjectTypes()).containsExactly("public");
assertThat(providerConfiguration.getTokenEndpointAuthenticationMethods()).containsExactly("basic");
assertThat(providerConfiguration.getClaimAsString("custom_claim")).isEqualTo("value");
assertThat(providerConfiguration.getTokenEndpointAuthenticationMethods()).containsExactly("client_secret_basic");
assertThat(providerConfiguration.<String>getClaim("custom_claim")).isEqualTo("value");
assertThat(providerConfiguration.getClaimAsStringList("custom_collection_claim")).containsExactlyInAnyOrder("value1", "value2");
}
@ -144,7 +143,7 @@ public class OidcProviderConfigurationHttpMessageConverterTests {
}
@Test
public void writeInternalWhenOidcProviderConfigurationThenWriteTokenResponse() throws Exception {
public void writeInternalWhenProviderConfigurationThenSuccess() {
OidcProviderConfiguration providerConfiguration =
OidcProviderConfiguration.withClaims()
.issuer("https://example.com/issuer1")
@ -156,7 +155,7 @@ public class OidcProviderConfigurationHttpMessageConverterTests {
.grantType("authorization_code")
.grantType("client_credentials")
.subjectType("public")
.tokenEndpointAuthenticationMethod("basic")
.tokenEndpointAuthenticationMethod("client_secret_basic")
.claim("custom_claim", "value")
.claim("custom_collection_claim", Arrays.asList("value1", "value2"))
.build();
@ -173,14 +172,13 @@ public class OidcProviderConfigurationHttpMessageConverterTests {
assertThat(providerConfigurationResponse).contains("\"response_types_supported\":[\"code\"]");
assertThat(providerConfigurationResponse).contains("\"grant_types_supported\":[\"authorization_code\",\"client_credentials\"]");
assertThat(providerConfigurationResponse).contains("\"subject_types_supported\":[\"public\"]");
assertThat(providerConfigurationResponse).contains("\"token_endpoint_auth_methods_supported\":[\"basic\"]");
assertThat(providerConfigurationResponse).contains("\"token_endpoint_auth_methods_supported\":[\"client_secret_basic\"]");
assertThat(providerConfigurationResponse).contains("\"custom_claim\":\"value\"");
assertThat(providerConfigurationResponse).contains("\"custom_collection_claim\":[\"value1\",\"value2\"]");
}
@Test
@SuppressWarnings("unchecked")
public void writeInternalWhenWriteFailsThenThrowsException() throws MalformedURLException {
public void writeInternalWhenWriteFailsThenThrowsException() {
String errorMessage = "this is not a valid converter";
Converter<OidcProviderConfiguration, Map<String, Object>> failingConverter =
source -> {
@ -190,10 +188,10 @@ public class OidcProviderConfigurationHttpMessageConverterTests {
OidcProviderConfiguration providerConfiguration =
OidcProviderConfiguration.withClaims()
.issuer("https://example.com")
.authorizationEndpoint("https://example.com")
.tokenEndpoint("https://example.com")
.jwksUri("https://example.com")
.issuer("https://example.com/issuer1")
.authorizationEndpoint("https://example.com/issuer1/oauth2/authorize")
.tokenEndpoint("https://example.com/issuer1/oauth2/token")
.jwksUri("https://example.com/issuer1/oauth2/jwks")
.responseType("code")
.subjectType("public")
.build();

View File

@ -17,8 +17,6 @@ package org.springframework.security.oauth2.server.authorization.config;
import org.junit.Test;
import java.net.MalformedURLException;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatThrownBy;
@ -28,41 +26,42 @@ import static org.assertj.core.api.Assertions.assertThatThrownBy;
* @author Daniel Garnier-Moiroux
*/
public class ProviderSettingsTests {
@Test
public void constructorWhenDefaultThenDefaultsAreSetAndIssuerIsNotSet() {
public void constructorWhenDefaultThenDefaultsAreSet() {
ProviderSettings providerSettings = new ProviderSettings();
assertThat(providerSettings.issuer()).isNull();
assertThat(providerSettings.authorizationEndpoint()).isEqualTo("/oauth2/authorize");
assertThat(providerSettings.tokenEndpoint()).isEqualTo("/oauth2/token");
assertThat(providerSettings.jwkSetEndpoint()).isEqualTo("/oauth2/jwks");
assertThat(providerSettings.jwksEndpoint()).isEqualTo("/oauth2/jwks");
assertThat(providerSettings.tokenRevocationEndpoint()).isEqualTo("/oauth2/revoke");
}
@Test
public void settingsWhenProvidedThenSet() throws MalformedURLException {
String authorizationEndpoint = "/my-endpoints/authorize";
String tokenEndpoint = "/my-endpoints/token";
String jwksEndpoint = "/my-endpoints/jwks";
String tokenRevocationEndpoint = "/my-endpoints/revoke";
String issuer = "https://example.com/9000";
public void settingsWhenProvidedThenSet() {
String authorizationEndpoint = "/oauth2/v1/authorize";
String tokenEndpoint = "/oauth2/v1/token";
String jwksEndpoint = "/oauth2/v1/jwks";
String tokenRevocationEndpoint = "/oauth2/v1/revoke";
String issuer = "https://example.com:9000";
ProviderSettings providerSettings = new ProviderSettings()
.issuer(issuer)
.authorizationEndpoint(authorizationEndpoint)
.tokenEndpoint(tokenEndpoint)
.jwkSetEndpoint(jwksEndpoint)
.jwksEndpoint(jwksEndpoint)
.tokenRevocationEndpoint(tokenRevocationEndpoint);
assertThat(providerSettings.issuer()).isEqualTo(issuer);
assertThat(providerSettings.authorizationEndpoint()).isEqualTo(authorizationEndpoint);
assertThat(providerSettings.tokenEndpoint()).isEqualTo(tokenEndpoint);
assertThat(providerSettings.jwkSetEndpoint()).isEqualTo(jwksEndpoint);
assertThat(providerSettings.jwksEndpoint()).isEqualTo(jwksEndpoint);
assertThat(providerSettings.tokenRevocationEndpoint()).isEqualTo(tokenRevocationEndpoint);
}
@Test
public void settingWhenCalledThenReturnTokenSettings() {
public void settingWhenCustomThenReturnAllSettings() {
ProviderSettings providerSettings = new ProviderSettings()
.setting("name1", "value1")
.settings(settings -> settings.put("name2", "value2"));
@ -73,54 +72,42 @@ public class ProviderSettingsTests {
}
@Test
public void issuerWhenNullThenThrowsIllegalArgumentException() {
public void issuerWhenNullThenThrowIllegalArgumentException() {
ProviderSettings settings = new ProviderSettings();
assertThatThrownBy(() -> settings.issuer(null))
.isInstanceOf(IllegalArgumentException.class)
.hasMessage("issuer cannot be null");
.hasMessage("value cannot be null");
}
@Test
public void authorizationEndpointWhenNullThenThrowsIllegalArgumentException() {
public void authorizationEndpointWhenNullThenThrowIllegalArgumentException() {
ProviderSettings settings = new ProviderSettings();
assertThatThrownBy(() -> settings.authorizationEndpoint(null))
.isInstanceOf(IllegalArgumentException.class)
.hasMessage("authorizationEndpoint cannot be empty");
assertThatThrownBy(() -> settings.authorizationEndpoint(""))
.isInstanceOf(IllegalArgumentException.class)
.hasMessage("authorizationEndpoint cannot be empty");
.hasMessage("value cannot be null");
}
@Test
public void tokenEndpointWhenNullThenThrowsIllegalArgumentException() {
public void tokenEndpointWhenNullThenThrowIllegalArgumentException() {
ProviderSettings settings = new ProviderSettings();
assertThatThrownBy(() -> settings.tokenEndpoint(null))
.isInstanceOf(IllegalArgumentException.class)
.hasMessage("tokenEndpoint cannot be empty");
assertThatThrownBy(() -> settings.tokenEndpoint(""))
.isInstanceOf(IllegalArgumentException.class)
.hasMessage("tokenEndpoint cannot be empty");
.hasMessage("value cannot be null");
}
@Test
public void tokenRevocationEndpointWhenNullThenThrowsIllegalArgumentException() {
public void tokenRevocationEndpointWhenNullThenThrowIllegalArgumentException() {
ProviderSettings settings = new ProviderSettings();
assertThatThrownBy(() -> settings.tokenRevocationEndpoint(null))
.isInstanceOf(IllegalArgumentException.class)
.hasMessage("tokenRevocationEndpoint cannot be empty");
assertThatThrownBy(() -> settings.tokenRevocationEndpoint(""))
.isInstanceOf(IllegalArgumentException.class)
.hasMessage("tokenRevocationEndpoint cannot be empty");
.hasMessage("value cannot be null");
}
@Test
public void jwkSetEndpointWhenNullThenThrowsIllegalArgumentException() {
public void jwksEndpointWhenNullThenThrowIllegalArgumentException() {
ProviderSettings settings = new ProviderSettings();
assertThatThrownBy(() -> settings.jwkSetEndpoint(null))
assertThatThrownBy(() -> settings.jwksEndpoint(null))
.isInstanceOf(IllegalArgumentException.class)
.hasMessage("jwkSetEndpoint cannot be empty");
assertThatThrownBy(() -> settings.jwkSetEndpoint(""))
.isInstanceOf(IllegalArgumentException.class)
.hasMessage("jwkSetEndpoint cannot be empty");
.hasMessage("value cannot be null");
}
}

View File

@ -38,6 +38,7 @@ import static org.mockito.Mockito.verifyNoInteractions;
* @author Daniel Garnier-Moiroux
*/
public class OidcProviderConfigurationEndpointFilterTests {
@Test
public void constructorWhenProviderSettingsNullThenThrowIllegalArgumentException() {
assertThatThrownBy(() -> new OidcProviderConfigurationEndpointFilter(null))
@ -46,8 +47,10 @@ public class OidcProviderConfigurationEndpointFilterTests {
}
@Test
public void doFilterWhenRequestDoesNotMatchThenNotProcessed() throws Exception {
OidcProviderConfigurationEndpointFilter filter = new OidcProviderConfigurationEndpointFilter(new ProviderSettings());
public void doFilterWhenNotConfigurationRequestThenNotProcessed() throws Exception {
OidcProviderConfigurationEndpointFilter filter =
new OidcProviderConfigurationEndpointFilter(new ProviderSettings());
String requestUri = "/path";
MockHttpServletRequest request = new MockHttpServletRequest("GET", requestUri);
request.setServletPath(requestUri);
@ -60,20 +63,38 @@ public class OidcProviderConfigurationEndpointFilterTests {
}
@Test
public void doFilterWhenSuccessThenConfigurationResponse() throws Exception {
String authorizationEndpoint = "/my-endpoints/authorize";
String tokenEndpoint = "/my-endpoints/token";
String jwksEndpoint = "/my-endpoints/jwks";
public void doFilterWhenConfigurationRequestPostThenNotProcessed() throws Exception {
OidcProviderConfigurationEndpointFilter filter =
new OidcProviderConfigurationEndpointFilter(new ProviderSettings());
String requestUri = OidcProviderConfigurationEndpointFilter.DEFAULT_OIDC_PROVIDER_CONFIGURATION_ENDPOINT_URI;
MockHttpServletRequest request = new MockHttpServletRequest("POST", requestUri);
request.setServletPath(requestUri);
MockHttpServletResponse response = new MockHttpServletResponse();
FilterChain filterChain = mock(FilterChain.class);
filter.doFilter(request, response, filterChain);
verify(filterChain).doFilter(any(HttpServletRequest.class), any(HttpServletResponse.class));
}
@Test
public void doFilterWhenConfigurationRequestThenConfigurationResponse() throws Exception {
String authorizationEndpoint = "/oauth2/v1/authorize";
String tokenEndpoint = "/oauth2/v1/token";
String jwksEndpoint = "/oauth2/v1/jwks";
ProviderSettings providerSettings = new ProviderSettings()
.issuer("https://example.com/issuer1")
.authorizationEndpoint(authorizationEndpoint)
.tokenEndpoint(tokenEndpoint)
.jwkSetEndpoint(jwksEndpoint);
OidcProviderConfigurationEndpointFilter filter = new OidcProviderConfigurationEndpointFilter(providerSettings);
.jwksEndpoint(jwksEndpoint);
OidcProviderConfigurationEndpointFilter filter =
new OidcProviderConfigurationEndpointFilter(providerSettings);
MockHttpServletRequest request = new MockHttpServletRequest("GET", org.springframework.security.oauth2.server.authorization.web.OidcProviderConfigurationEndpointFilter.DEFAULT_OIDC_PROVIDER_CONFIGURATION_ENDPOINT_URI);
request.setServletPath(org.springframework.security.oauth2.server.authorization.web.OidcProviderConfigurationEndpointFilter.DEFAULT_OIDC_PROVIDER_CONFIGURATION_ENDPOINT_URI);
String requestUri = OidcProviderConfigurationEndpointFilter.DEFAULT_OIDC_PROVIDER_CONFIGURATION_ENDPOINT_URI;
MockHttpServletRequest request = new MockHttpServletRequest("GET", requestUri);
request.setServletPath(requestUri);
MockHttpServletResponse response = new MockHttpServletResponse();
FilterChain filterChain = mock(FilterChain.class);
@ -84,29 +105,31 @@ public class OidcProviderConfigurationEndpointFilterTests {
assertThat(response.getContentType()).isEqualTo(MediaType.APPLICATION_JSON_VALUE);
String providerConfigurationResponse = response.getContentAsString();
assertThat(providerConfigurationResponse).contains("\"issuer\":\"https://example.com/issuer1\"");
assertThat(providerConfigurationResponse).contains("\"authorization_endpoint\":\"https://example.com/issuer1/my-endpoints/authorize\"");
assertThat(providerConfigurationResponse).contains("\"token_endpoint\":\"https://example.com/issuer1/my-endpoints/token\"");
assertThat(providerConfigurationResponse).contains("\"jwks_uri\":\"https://example.com/issuer1/my-endpoints/jwks\"");
assertThat(providerConfigurationResponse).contains("\"authorization_endpoint\":\"https://example.com/issuer1/oauth2/v1/authorize\"");
assertThat(providerConfigurationResponse).contains("\"token_endpoint\":\"https://example.com/issuer1/oauth2/v1/token\"");
assertThat(providerConfigurationResponse).contains("\"jwks_uri\":\"https://example.com/issuer1/oauth2/v1/jwks\"");
assertThat(providerConfigurationResponse).contains("\"scopes_supported\":[\"openid\"]");
assertThat(providerConfigurationResponse).contains("\"response_types_supported\":[\"code\"]");
assertThat(providerConfigurationResponse).contains("\"grant_types_supported\":[\"authorization_code\",\"client_credentials\"]");
assertThat(providerConfigurationResponse).contains("\"grant_types_supported\":[\"authorization_code\",\"client_credentials\",\"refresh_token\"]");
assertThat(providerConfigurationResponse).contains("\"subject_types_supported\":[\"public\"]");
assertThat(providerConfigurationResponse).contains("\"token_endpoint_auth_methods_supported\":[\"client_secret_basic\"]");
assertThat(providerConfigurationResponse).contains("\"token_endpoint_auth_methods_supported\":[\"client_secret_basic\",\"client_secret_post\"]");
}
@Test
public void doFilterWhenProviderSettingsWithInvalidIssuerThenThrowIllegalArgumentException() {
public void doFilterWhenProviderSettingsWithInvalidIssuerThenThrowIllegalArgumentException() {
ProviderSettings providerSettings = new ProviderSettings()
.issuer("https://this is an invalid URL");
OidcProviderConfigurationEndpointFilter filter = new OidcProviderConfigurationEndpointFilter(providerSettings);
OidcProviderConfigurationEndpointFilter filter =
new OidcProviderConfigurationEndpointFilter(providerSettings);
MockHttpServletRequest request = new MockHttpServletRequest("GET", org.springframework.security.oauth2.server.authorization.web.OidcProviderConfigurationEndpointFilter.DEFAULT_OIDC_PROVIDER_CONFIGURATION_ENDPOINT_URI);
request.setServletPath(org.springframework.security.oauth2.server.authorization.web.OidcProviderConfigurationEndpointFilter.DEFAULT_OIDC_PROVIDER_CONFIGURATION_ENDPOINT_URI);
String requestUri = OidcProviderConfigurationEndpointFilter.DEFAULT_OIDC_PROVIDER_CONFIGURATION_ENDPOINT_URI;
MockHttpServletRequest request = new MockHttpServletRequest("GET", requestUri);
request.setServletPath(requestUri);
MockHttpServletResponse response = new MockHttpServletResponse();
FilterChain filterChain = mock(FilterChain.class);
assertThatThrownBy(() -> filter.doFilter(request, response, filterChain))
.isInstanceOf(IllegalArgumentException.class);
.isInstanceOf(IllegalArgumentException.class)
.hasMessage("issuer must be a valid URL");
}
}