From c00226d0c6437509b2ecdc4978e97954916fa121 Mon Sep 17 00:00:00 2001 From: Joe Grandja Date: Wed, 10 Feb 2021 19:37:14 -0500 Subject: [PATCH] Store authorizedScopes attribute for client_credentials grant Issue gh-213 --- .../OAuth2ClientCredentialsAuthenticationProvider.java | 9 +++++---- ...uth2ClientCredentialsAuthenticationProviderTests.java | 4 +++- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2ClientCredentialsAuthenticationProvider.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2ClientCredentialsAuthenticationProvider.java index c780774..680dbe1 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2ClientCredentialsAuthenticationProvider.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2ClientCredentialsAuthenticationProvider.java @@ -102,7 +102,7 @@ public class OAuth2ClientCredentialsAuthenticationProvider implements Authentica throw new OAuth2AuthenticationException(new OAuth2Error(OAuth2ErrorCodes.UNAUTHORIZED_CLIENT)); } - Set scopes = registeredClient.getScopes(); // Default to configured scopes + Set authorizedScopes = registeredClient.getScopes(); // Default to configured scopes if (!CollectionUtils.isEmpty(clientCredentialsAuthentication.getScopes())) { Set unauthorizedScopes = clientCredentialsAuthentication.getScopes().stream() .filter(requestedScope -> !registeredClient.getScopes().contains(requestedScope)) @@ -110,14 +110,14 @@ public class OAuth2ClientCredentialsAuthenticationProvider implements Authentica if (!CollectionUtils.isEmpty(unauthorizedScopes)) { throw new OAuth2AuthenticationException(new OAuth2Error(OAuth2ErrorCodes.INVALID_SCOPE)); } - scopes = new LinkedHashSet<>(clientCredentialsAuthentication.getScopes()); + authorizedScopes = new LinkedHashSet<>(clientCredentialsAuthentication.getScopes()); } String issuer = this.providerSettings != null ? this.providerSettings.issuer() : null; JoseHeader.Builder headersBuilder = JwtUtils.headers(); JwtClaimsSet.Builder claimsBuilder = JwtUtils.accessTokenClaims( - registeredClient, issuer, clientPrincipal.getName(), scopes); + registeredClient, issuer, clientPrincipal.getName(), authorizedScopes); // @formatter:off JwtEncodingContext context = JwtEncodingContext.with(headersBuilder, claimsBuilder) @@ -137,7 +137,7 @@ public class OAuth2ClientCredentialsAuthenticationProvider implements Authentica OAuth2AccessToken accessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER, jwtAccessToken.getTokenValue(), jwtAccessToken.getIssuedAt(), - jwtAccessToken.getExpiresAt(), scopes); + jwtAccessToken.getExpiresAt(), authorizedScopes); // @formatter:off OAuth2Authorization authorization = OAuth2Authorization.withRegisteredClient(registeredClient) @@ -146,6 +146,7 @@ public class OAuth2ClientCredentialsAuthenticationProvider implements Authentica .token(accessToken, (metadata) -> metadata.put(OAuth2Authorization.Token.CLAIMS_METADATA_NAME, jwtAccessToken.getClaims())) + .attribute(OAuth2Authorization.AUTHORIZED_SCOPE_ATTRIBUTE_NAME, authorizedScopes) .build(); // @formatter:on diff --git a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2ClientCredentialsAuthenticationProviderTests.java b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2ClientCredentialsAuthenticationProviderTests.java index 01467bb..cd3fb9b 100644 --- a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2ClientCredentialsAuthenticationProviderTests.java +++ b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2ClientCredentialsAuthenticationProviderTests.java @@ -207,7 +207,9 @@ public class OAuth2ClientCredentialsAuthenticationProviderTests { assertThat(authorization.getPrincipalName()).isEqualTo(clientPrincipal.getName()); assertThat(authorization.getAuthorizationGrantType()).isEqualTo(AuthorizationGrantType.CLIENT_CREDENTIALS); assertThat(authorization.getAccessToken()).isNotNull(); - assertThat(authorization.getAccessToken().getToken().getScopes()).isEqualTo(clientPrincipal.getRegisteredClient().getScopes()); + assertThat(authorization.>getAttribute(OAuth2Authorization.AUTHORIZED_SCOPE_ATTRIBUTE_NAME)).isNotNull(); + assertThat(authorization.getAccessToken().getToken().getScopes()) + .isEqualTo(authorization.getAttribute(OAuth2Authorization.AUTHORIZED_SCOPE_ATTRIBUTE_NAME)); assertThat(accessTokenAuthentication.getPrincipal()).isEqualTo(clientPrincipal); assertThat(accessTokenAuthentication.getAccessToken()).isEqualTo(authorization.getAccessToken().getToken()); }