Store authorizedScopes attribute for client_credentials grant

Issue gh-213
This commit is contained in:
Joe Grandja 2021-02-10 19:37:14 -05:00
parent 6ffda38cb9
commit c00226d0c6
2 changed files with 8 additions and 5 deletions

View File

@ -102,7 +102,7 @@ public class OAuth2ClientCredentialsAuthenticationProvider implements Authentica
throw new OAuth2AuthenticationException(new OAuth2Error(OAuth2ErrorCodes.UNAUTHORIZED_CLIENT)); throw new OAuth2AuthenticationException(new OAuth2Error(OAuth2ErrorCodes.UNAUTHORIZED_CLIENT));
} }
Set<String> scopes = registeredClient.getScopes(); // Default to configured scopes Set<String> authorizedScopes = registeredClient.getScopes(); // Default to configured scopes
if (!CollectionUtils.isEmpty(clientCredentialsAuthentication.getScopes())) { if (!CollectionUtils.isEmpty(clientCredentialsAuthentication.getScopes())) {
Set<String> unauthorizedScopes = clientCredentialsAuthentication.getScopes().stream() Set<String> unauthorizedScopes = clientCredentialsAuthentication.getScopes().stream()
.filter(requestedScope -> !registeredClient.getScopes().contains(requestedScope)) .filter(requestedScope -> !registeredClient.getScopes().contains(requestedScope))
@ -110,14 +110,14 @@ public class OAuth2ClientCredentialsAuthenticationProvider implements Authentica
if (!CollectionUtils.isEmpty(unauthorizedScopes)) { if (!CollectionUtils.isEmpty(unauthorizedScopes)) {
throw new OAuth2AuthenticationException(new OAuth2Error(OAuth2ErrorCodes.INVALID_SCOPE)); throw new OAuth2AuthenticationException(new OAuth2Error(OAuth2ErrorCodes.INVALID_SCOPE));
} }
scopes = new LinkedHashSet<>(clientCredentialsAuthentication.getScopes()); authorizedScopes = new LinkedHashSet<>(clientCredentialsAuthentication.getScopes());
} }
String issuer = this.providerSettings != null ? this.providerSettings.issuer() : null; String issuer = this.providerSettings != null ? this.providerSettings.issuer() : null;
JoseHeader.Builder headersBuilder = JwtUtils.headers(); JoseHeader.Builder headersBuilder = JwtUtils.headers();
JwtClaimsSet.Builder claimsBuilder = JwtUtils.accessTokenClaims( JwtClaimsSet.Builder claimsBuilder = JwtUtils.accessTokenClaims(
registeredClient, issuer, clientPrincipal.getName(), scopes); registeredClient, issuer, clientPrincipal.getName(), authorizedScopes);
// @formatter:off // @formatter:off
JwtEncodingContext context = JwtEncodingContext.with(headersBuilder, claimsBuilder) JwtEncodingContext context = JwtEncodingContext.with(headersBuilder, claimsBuilder)
@ -137,7 +137,7 @@ public class OAuth2ClientCredentialsAuthenticationProvider implements Authentica
OAuth2AccessToken accessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER, OAuth2AccessToken accessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER,
jwtAccessToken.getTokenValue(), jwtAccessToken.getIssuedAt(), jwtAccessToken.getTokenValue(), jwtAccessToken.getIssuedAt(),
jwtAccessToken.getExpiresAt(), scopes); jwtAccessToken.getExpiresAt(), authorizedScopes);
// @formatter:off // @formatter:off
OAuth2Authorization authorization = OAuth2Authorization.withRegisteredClient(registeredClient) OAuth2Authorization authorization = OAuth2Authorization.withRegisteredClient(registeredClient)
@ -146,6 +146,7 @@ public class OAuth2ClientCredentialsAuthenticationProvider implements Authentica
.token(accessToken, .token(accessToken,
(metadata) -> (metadata) ->
metadata.put(OAuth2Authorization.Token.CLAIMS_METADATA_NAME, jwtAccessToken.getClaims())) metadata.put(OAuth2Authorization.Token.CLAIMS_METADATA_NAME, jwtAccessToken.getClaims()))
.attribute(OAuth2Authorization.AUTHORIZED_SCOPE_ATTRIBUTE_NAME, authorizedScopes)
.build(); .build();
// @formatter:on // @formatter:on

View File

@ -207,7 +207,9 @@ public class OAuth2ClientCredentialsAuthenticationProviderTests {
assertThat(authorization.getPrincipalName()).isEqualTo(clientPrincipal.getName()); assertThat(authorization.getPrincipalName()).isEqualTo(clientPrincipal.getName());
assertThat(authorization.getAuthorizationGrantType()).isEqualTo(AuthorizationGrantType.CLIENT_CREDENTIALS); assertThat(authorization.getAuthorizationGrantType()).isEqualTo(AuthorizationGrantType.CLIENT_CREDENTIALS);
assertThat(authorization.getAccessToken()).isNotNull(); assertThat(authorization.getAccessToken()).isNotNull();
assertThat(authorization.getAccessToken().getToken().getScopes()).isEqualTo(clientPrincipal.getRegisteredClient().getScopes()); assertThat(authorization.<Set<String>>getAttribute(OAuth2Authorization.AUTHORIZED_SCOPE_ATTRIBUTE_NAME)).isNotNull();
assertThat(authorization.getAccessToken().getToken().getScopes())
.isEqualTo(authorization.getAttribute(OAuth2Authorization.AUTHORIZED_SCOPE_ATTRIBUTE_NAME));
assertThat(accessTokenAuthentication.getPrincipal()).isEqualTo(clientPrincipal); assertThat(accessTokenAuthentication.getPrincipal()).isEqualTo(clientPrincipal);
assertThat(accessTokenAuthentication.getAccessToken()).isEqualTo(authorization.getAccessToken().getToken()); assertThat(accessTokenAuthentication.getAccessToken()).isEqualTo(authorization.getAccessToken().getToken());
} }