Alexey Nesterov
Joe Grandja
parent
88911641af
commit
c40aec2eb4
|
|
@ -26,6 +26,7 @@ import org.springframework.security.oauth2.server.authorization.InMemoryOAuth2Au
|
|||
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
|
||||
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeAuthenticationProvider;
|
||||
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationProvider;
|
||||
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientCredentialsAuthenticationProvider;
|
||||
import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
|
||||
import org.springframework.security.oauth2.server.authorization.web.OAuth2AuthorizationEndpointFilter;
|
||||
import org.springframework.security.oauth2.server.authorization.web.OAuth2ClientAuthenticationFilter;
|
||||
|
|
@ -88,7 +89,12 @@ public final class OAuth2AuthorizationServerConfigurer<B extends HttpSecurityBui
|
|||
new OAuth2AuthorizationCodeAuthenticationProvider(
|
||||
getRegisteredClientRepository(builder),
|
||||
getAuthorizationService(builder));
|
||||
|
||||
OAuth2ClientCredentialsAuthenticationProvider clientCredentialsAuthenticationProvider
|
||||
= new OAuth2ClientCredentialsAuthenticationProvider();
|
||||
|
||||
builder.authenticationProvider(postProcess(authorizationCodeAuthenticationProvider));
|
||||
builder.authenticationProvider(postProcess(clientCredentialsAuthenticationProvider));
|
||||
}
|
||||
|
||||
@Override
|
||||
|
|
|
|||
|
|
@ -17,6 +17,7 @@ dependencies {
|
|||
testCompile 'org.assertj:assertj-core'
|
||||
testCompile 'org.mockito:mockito-core'
|
||||
testCompile 'com.squareup.okhttp3:mockwebserver'
|
||||
testCompile 'com.jayway.jsonpath:json-path'
|
||||
|
||||
provided 'javax.servlet:javax.servlet-api'
|
||||
}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,85 @@
|
|||
/*
|
||||
* Copyright 2020 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.springframework.security.oauth2.server.authorization.authentication;
|
||||
|
||||
import java.time.Instant;
|
||||
import java.time.temporal.ChronoUnit;
|
||||
import java.util.Base64;
|
||||
import java.util.Set;
|
||||
|
||||
import org.springframework.security.authentication.AuthenticationProvider;
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.core.AuthenticationException;
|
||||
import org.springframework.security.crypto.keygen.Base64StringKeyGenerator;
|
||||
import org.springframework.security.crypto.keygen.StringKeyGenerator;
|
||||
import org.springframework.security.oauth2.core.OAuth2AccessToken;
|
||||
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
|
||||
import org.springframework.security.oauth2.core.OAuth2Error;
|
||||
import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
|
||||
|
||||
/**
|
||||
* An {@link AuthenticationProvider} implementation for the OAuth 2.0 Client Credentials Grant.
|
||||
*
|
||||
* @author Alexey Nesterov
|
||||
* @since 0.0.1
|
||||
* @see OAuth2ClientCredentialsAuthenticationToken
|
||||
* @see <a target="_blank" href="https://tools.ietf.org/html/rfc6749#section-4.4">Section 4.4 Client Credentials Grant</a>
|
||||
* @see <a target="_blank" href="https://tools.ietf.org/html/rfc6749#section-4.4.2">Section 4.4.2 Access Token Request</a>
|
||||
*/
|
||||
|
||||
public class OAuth2ClientCredentialsAuthenticationProvider implements AuthenticationProvider {
|
||||
|
||||
private final StringKeyGenerator accessTokenGenerator = new Base64StringKeyGenerator(Base64.getUrlEncoder());
|
||||
|
||||
@Override
|
||||
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
|
||||
OAuth2ClientCredentialsAuthenticationToken clientCredentialsAuthenticationToken =
|
||||
(OAuth2ClientCredentialsAuthenticationToken) authentication;
|
||||
|
||||
OAuth2ClientAuthenticationToken clientPrincipal = null;
|
||||
if (OAuth2ClientAuthenticationToken.class.isAssignableFrom(clientCredentialsAuthenticationToken.getPrincipal().getClass())) {
|
||||
clientPrincipal = (OAuth2ClientAuthenticationToken) clientCredentialsAuthenticationToken.getPrincipal();
|
||||
}
|
||||
|
||||
if (clientPrincipal == null || !clientPrincipal.isAuthenticated()) {
|
||||
throw new OAuth2AuthenticationException(new OAuth2Error(OAuth2ErrorCodes.INVALID_CLIENT));
|
||||
}
|
||||
|
||||
Set<String> clientScopes = clientPrincipal.getRegisteredClient().getScopes();
|
||||
Set<String> requestedScopes = clientCredentialsAuthenticationToken.getScopes();
|
||||
if (!clientScopes.containsAll(requestedScopes)) {
|
||||
throw new OAuth2AuthenticationException(new OAuth2Error(OAuth2ErrorCodes.INVALID_SCOPE));
|
||||
}
|
||||
|
||||
if (requestedScopes == null || requestedScopes.isEmpty()) {
|
||||
requestedScopes = clientScopes;
|
||||
}
|
||||
|
||||
String tokenValue = this.accessTokenGenerator.generateKey();
|
||||
Instant issuedAt = Instant.now();
|
||||
Instant expiresAt = issuedAt.plus(1, ChronoUnit.HOURS); // TODO Allow configuration for access token lifespan
|
||||
OAuth2AccessToken accessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER,
|
||||
tokenValue, issuedAt, expiresAt, requestedScopes);
|
||||
|
||||
return new OAuth2AccessTokenAuthenticationToken(
|
||||
clientPrincipal.getRegisteredClient(), clientPrincipal, accessToken);
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean supports(Class<?> authentication) {
|
||||
return OAuth2ClientCredentialsAuthenticationToken.class.isAssignableFrom(authentication);
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,68 @@
|
|||
/*
|
||||
* Copyright 2020 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.security.oauth2.server.authorization.authentication;
|
||||
|
||||
import java.util.Collections;
|
||||
import java.util.Set;
|
||||
|
||||
import org.springframework.security.authentication.AbstractAuthenticationToken;
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.oauth2.server.authorization.Version;
|
||||
import org.springframework.util.Assert;
|
||||
|
||||
/**
|
||||
* An {@link Authentication} implementation used for the OAuth 2.0 Client Credentials Grant.
|
||||
*
|
||||
* @author Alexey Nesterov
|
||||
* @since 0.0.1
|
||||
* @see Authentication
|
||||
* @see OAuth2ClientCredentialsAuthenticationProvider
|
||||
*/
|
||||
public class OAuth2ClientCredentialsAuthenticationToken extends AbstractAuthenticationToken {
|
||||
|
||||
private static final long serialVersionUID = Version.SERIAL_VERSION_UID;
|
||||
|
||||
private final Authentication clientPrincipal;
|
||||
private final Set<String> scopes;
|
||||
|
||||
public OAuth2ClientCredentialsAuthenticationToken(Authentication clientPrincipal, Set<String> scopes) {
|
||||
super(Collections.emptyList());
|
||||
Assert.notNull(clientPrincipal, "clientPrincipal cannot be null");
|
||||
Assert.notNull(scopes, "scopes cannot be null");
|
||||
this.clientPrincipal = clientPrincipal;
|
||||
this.scopes = scopes;
|
||||
}
|
||||
|
||||
@SuppressWarnings("unchecked")
|
||||
public OAuth2ClientCredentialsAuthenticationToken(OAuth2ClientAuthenticationToken clientPrincipal) {
|
||||
this(clientPrincipal, Collections.EMPTY_SET);
|
||||
}
|
||||
|
||||
@Override
|
||||
public Object getCredentials() {
|
||||
return "";
|
||||
}
|
||||
|
||||
@Override
|
||||
public Object getPrincipal() {
|
||||
return this.clientPrincipal;
|
||||
}
|
||||
|
||||
public Set<String> getScopes() {
|
||||
return this.scopes;
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,61 @@
|
|||
/*
|
||||
* Copyright 2020 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.security.oauth2.server.authorization.web;
|
||||
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import java.util.Collections;
|
||||
import java.util.Map;
|
||||
|
||||
import org.springframework.core.convert.converter.Converter;
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.oauth2.core.AuthorizationGrantType;
|
||||
import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
|
||||
import org.springframework.util.Assert;
|
||||
import org.springframework.util.StringUtils;
|
||||
|
||||
/**
|
||||
* A {@link Converter} that delegates actual conversion to one of the provided converters based on grant_type param of a request.
|
||||
* Returns null is grant type is not specified or not supported.
|
||||
*
|
||||
* @author Alexey Nesterov
|
||||
* @since 0.0.1
|
||||
*/
|
||||
public final class DelegatingAuthorizationGrantAuthenticationConverter implements Converter<HttpServletRequest, Authentication> {
|
||||
|
||||
private final Map<AuthorizationGrantType, Converter<HttpServletRequest, Authentication>> converters;
|
||||
|
||||
public DelegatingAuthorizationGrantAuthenticationConverter(Map<AuthorizationGrantType, Converter<HttpServletRequest, Authentication>> converters) {
|
||||
Assert.notEmpty(converters, "converters cannot be empty");
|
||||
|
||||
this.converters = Collections.unmodifiableMap(converters);
|
||||
}
|
||||
|
||||
@Override
|
||||
public Authentication convert(HttpServletRequest request) {
|
||||
String grantType = request.getParameter(OAuth2ParameterNames.GRANT_TYPE);
|
||||
if (StringUtils.isEmpty(grantType)) {
|
||||
return null;
|
||||
}
|
||||
|
||||
Converter<HttpServletRequest, Authentication> converter = this.converters.get(new AuthorizationGrantType(grantType));
|
||||
if (converter == null) {
|
||||
return null;
|
||||
}
|
||||
|
||||
return converter.convert(request);
|
||||
}
|
||||
}
|
||||
|
|
@ -35,6 +35,8 @@ import org.springframework.security.oauth2.core.http.converter.OAuth2ErrorHttpMe
|
|||
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
|
||||
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AccessTokenAuthenticationToken;
|
||||
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeAuthenticationToken;
|
||||
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationToken;
|
||||
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientCredentialsAuthenticationToken;
|
||||
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
|
||||
import org.springframework.security.web.util.matcher.RequestMatcher;
|
||||
import org.springframework.util.Assert;
|
||||
|
|
@ -48,6 +50,11 @@ import javax.servlet.http.HttpServletRequest;
|
|||
import javax.servlet.http.HttpServletResponse;
|
||||
import java.io.IOException;
|
||||
import java.time.temporal.ChronoUnit;
|
||||
import java.util.Arrays;
|
||||
import java.util.HashMap;
|
||||
import java.util.HashSet;
|
||||
import java.util.Map;
|
||||
import java.util.Set;
|
||||
|
||||
/**
|
||||
* A {@code Filter} for the OAuth 2.0 Authorization Code Grant,
|
||||
|
|
@ -86,8 +93,8 @@ public class OAuth2TokenEndpointFilter extends OncePerRequestFilter {
|
|||
private final AuthenticationManager authenticationManager;
|
||||
private final OAuth2AuthorizationService authorizationService;
|
||||
private final RequestMatcher tokenEndpointMatcher;
|
||||
private final Converter<HttpServletRequest, Authentication> authorizationGrantAuthenticationConverter =
|
||||
new AuthorizationCodeAuthenticationConverter();
|
||||
private final Converter<HttpServletRequest, Authentication> authorizationGrantAuthenticationConverter;
|
||||
|
||||
private final HttpMessageConverter<OAuth2AccessTokenResponse> accessTokenHttpResponseConverter =
|
||||
new OAuth2AccessTokenResponseHttpMessageConverter();
|
||||
private final HttpMessageConverter<OAuth2Error> errorHttpResponseConverter =
|
||||
|
|
@ -119,6 +126,11 @@ public class OAuth2TokenEndpointFilter extends OncePerRequestFilter {
|
|||
this.authenticationManager = authenticationManager;
|
||||
this.authorizationService = authorizationService;
|
||||
this.tokenEndpointMatcher = new AntPathRequestMatcher(tokenEndpointUri, HttpMethod.POST.name());
|
||||
|
||||
Map<AuthorizationGrantType, Converter<HttpServletRequest, Authentication>> converters = new HashMap<>();
|
||||
converters.put(AuthorizationGrantType.AUTHORIZATION_CODE, new AuthorizationCodeAuthenticationConverter());
|
||||
converters.put(AuthorizationGrantType.CLIENT_CREDENTIALS, new ClientCredentialsAuthenticationConverter());
|
||||
this.authorizationGrantAuthenticationConverter = new DelegatingAuthorizationGrantAuthenticationConverter(converters);
|
||||
}
|
||||
|
||||
@Override
|
||||
|
|
@ -131,8 +143,16 @@ public class OAuth2TokenEndpointFilter extends OncePerRequestFilter {
|
|||
}
|
||||
|
||||
try {
|
||||
Authentication authorizationGrantAuthentication =
|
||||
this.authorizationGrantAuthenticationConverter.convert(request);
|
||||
String[] grantTypes = request.getParameterValues(OAuth2ParameterNames.GRANT_TYPE);
|
||||
if (grantTypes == null || grantTypes.length == 0) {
|
||||
throwError(OAuth2ErrorCodes.INVALID_REQUEST, "grant_type");
|
||||
}
|
||||
|
||||
Authentication authorizationGrantAuthentication = this.authorizationGrantAuthenticationConverter.convert(request);
|
||||
if (authorizationGrantAuthentication == null) {
|
||||
throwError(OAuth2ErrorCodes.UNSUPPORTED_GRANT_TYPE, "grant_type");
|
||||
}
|
||||
|
||||
OAuth2AccessTokenAuthenticationToken accessTokenAuthentication =
|
||||
(OAuth2AccessTokenAuthenticationToken) this.authenticationManager.authenticate(authorizationGrantAuthentication);
|
||||
sendAccessTokenResponse(response, accessTokenAuthentication.getAccessToken());
|
||||
|
|
@ -161,7 +181,7 @@ public class OAuth2TokenEndpointFilter extends OncePerRequestFilter {
|
|||
this.errorHttpResponseConverter.write(error, null, httpResponse);
|
||||
}
|
||||
|
||||
private static OAuth2AuthenticationException throwError(String errorCode, String parameterName) {
|
||||
private static void throwError(String errorCode, String parameterName) {
|
||||
OAuth2Error error = new OAuth2Error(errorCode, "OAuth 2.0 Parameter: " + parameterName,
|
||||
"https://tools.ietf.org/html/rfc6749#section-5.2");
|
||||
throw new OAuth2AuthenticationException(error);
|
||||
|
|
@ -214,4 +234,29 @@ public class OAuth2TokenEndpointFilter extends OncePerRequestFilter {
|
|||
new OAuth2AuthorizationCodeAuthenticationToken(code, clientId, redirectUri);
|
||||
}
|
||||
}
|
||||
|
||||
private static class ClientCredentialsAuthenticationConverter implements Converter<HttpServletRequest, Authentication> {
|
||||
|
||||
@Override
|
||||
public Authentication convert(HttpServletRequest request) {
|
||||
final Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
|
||||
final OAuth2ClientAuthenticationToken clientAuthenticationToken = (OAuth2ClientAuthenticationToken) authentication;
|
||||
|
||||
// grant_type (REQUIRED)
|
||||
String grantType = request.getParameter(OAuth2ParameterNames.GRANT_TYPE);
|
||||
if (!AuthorizationGrantType.CLIENT_CREDENTIALS.getValue().equals(grantType)) {
|
||||
throwError(OAuth2ErrorCodes.UNSUPPORTED_GRANT_TYPE, OAuth2ParameterNames.GRANT_TYPE);
|
||||
}
|
||||
|
||||
// scope (OPTIONAL)
|
||||
// https://tools.ietf.org/html/rfc6749#section-4.4.2
|
||||
String scopeParameter = request.getParameter(OAuth2ParameterNames.SCOPE);
|
||||
if (StringUtils.isEmpty(scopeParameter)) {
|
||||
return new OAuth2ClientCredentialsAuthenticationToken(clientAuthenticationToken);
|
||||
}
|
||||
|
||||
Set<String> requestedScopes = new HashSet<>(Arrays.asList(StringUtils.delimitedListToStringArray(scopeParameter, " ")));
|
||||
return new OAuth2ClientCredentialsAuthenticationToken(clientAuthenticationToken, requestedScopes);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,116 @@
|
|||
/*
|
||||
* Copyright 2020 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.security.oauth2.server.authorization.authentication;
|
||||
|
||||
import java.util.Collections;
|
||||
|
||||
import org.junit.Before;
|
||||
import org.junit.Test;
|
||||
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
|
||||
import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
|
||||
import org.springframework.security.oauth2.server.authorization.client.TestRegisteredClients;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.assertj.core.api.Assertions.assertThatThrownBy;
|
||||
|
||||
/**
|
||||
* @author Alexey Nesterov
|
||||
*/
|
||||
public class OAuth2ClientCredentialsAuthenticationProviderTests {
|
||||
|
||||
private static final RegisteredClient EXISTING_CLIENT = TestRegisteredClients.registeredClient().build();
|
||||
private OAuth2ClientCredentialsAuthenticationProvider authenticationProvider;
|
||||
|
||||
@Before
|
||||
public void setUp() {
|
||||
this.authenticationProvider = new OAuth2ClientCredentialsAuthenticationProvider();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void supportsWhenSupportedClassThenTrue() {
|
||||
assertThat(this.authenticationProvider.supports(OAuth2ClientCredentialsAuthenticationToken.class)).isTrue();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void supportsWhenUnsupportedClassThenFalse() {
|
||||
assertThat(this.authenticationProvider.supports(OAuth2AuthorizationCodeAuthenticationProvider.class)).isFalse();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void authenticateWhenValidAuthenticationThenReturnTokenWithClient() {
|
||||
Authentication authentication = this.authenticationProvider.authenticate(getAuthentication());
|
||||
assertThat(authentication).isInstanceOf(OAuth2AccessTokenAuthenticationToken.class);
|
||||
|
||||
OAuth2AccessTokenAuthenticationToken token = (OAuth2AccessTokenAuthenticationToken) authentication;
|
||||
assertThat(token.getRegisteredClient()).isEqualTo(EXISTING_CLIENT);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void authenticateWhenValidAuthenticationThenGenerateTokenValue() {
|
||||
Authentication authentication = this.authenticationProvider.authenticate(getAuthentication());
|
||||
OAuth2AccessTokenAuthenticationToken token = (OAuth2AccessTokenAuthenticationToken) authentication;
|
||||
assertThat(token.getAccessToken().getTokenValue()).isNotBlank();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void authenticateWhenValidateScopeThenReturnTokenWithScopes() {
|
||||
Authentication authentication = this.authenticationProvider.authenticate(getAuthentication());
|
||||
OAuth2AccessTokenAuthenticationToken token = (OAuth2AccessTokenAuthenticationToken) authentication;
|
||||
assertThat(token.getAccessToken().getScopes()).containsAll(EXISTING_CLIENT.getScopes());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void authenticateWhenNoScopeRequestedThenUseDefaultScopes() {
|
||||
OAuth2ClientCredentialsAuthenticationToken authenticationToken = new OAuth2ClientCredentialsAuthenticationToken(new OAuth2ClientAuthenticationToken(EXISTING_CLIENT));
|
||||
Authentication authentication = this.authenticationProvider.authenticate(authenticationToken);
|
||||
OAuth2AccessTokenAuthenticationToken token = (OAuth2AccessTokenAuthenticationToken) authentication;
|
||||
assertThat(token.getAccessToken().getScopes()).containsAll(EXISTING_CLIENT.getScopes());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void authenticateWhenInvalidSecretThenThrowException() {
|
||||
OAuth2ClientCredentialsAuthenticationToken authentication = new OAuth2ClientCredentialsAuthenticationToken(
|
||||
new OAuth2ClientAuthenticationToken(EXISTING_CLIENT.getClientId(), "not-a-valid-secret"));
|
||||
|
||||
assertThatThrownBy(() -> this.authenticationProvider.authenticate(authentication))
|
||||
.isInstanceOf(OAuth2AuthenticationException.class);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void authenticateWhenNonExistingClientThenThrowException() {
|
||||
OAuth2ClientCredentialsAuthenticationToken authentication = new OAuth2ClientCredentialsAuthenticationToken(
|
||||
new OAuth2ClientAuthenticationToken("another-client-id", "another-secret"));
|
||||
|
||||
assertThatThrownBy(() -> this.authenticationProvider.authenticate(authentication))
|
||||
.isInstanceOf(OAuth2AuthenticationException.class);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void authenticateWhenInvalidScopesThenThrowException() {
|
||||
OAuth2ClientCredentialsAuthenticationToken authentication = new OAuth2ClientCredentialsAuthenticationToken(
|
||||
new OAuth2ClientAuthenticationToken(EXISTING_CLIENT), Collections.singleton("non-existing-scope"));
|
||||
|
||||
assertThatThrownBy(() -> this.authenticationProvider.authenticate(authentication))
|
||||
.isInstanceOf(OAuth2AuthenticationException.class);
|
||||
}
|
||||
|
||||
private OAuth2ClientCredentialsAuthenticationToken getAuthentication() {
|
||||
return new OAuth2ClientCredentialsAuthenticationToken(new OAuth2ClientAuthenticationToken(EXISTING_CLIENT), EXISTING_CLIENT.getScopes());
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,73 @@
|
|||
/*
|
||||
* Copyright 2020 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.security.oauth2.server.authorization.authentication;
|
||||
|
||||
import java.util.Collections;
|
||||
import java.util.Set;
|
||||
|
||||
import org.junit.Test;
|
||||
|
||||
import org.springframework.security.oauth2.server.authorization.client.TestRegisteredClients;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.assertj.core.api.Assertions.assertThatThrownBy;
|
||||
|
||||
/**
|
||||
* @author Alexey Nesterov
|
||||
*/
|
||||
public class OAuth2ClientCredentialsAuthenticationTokenTests {
|
||||
|
||||
private final OAuth2ClientAuthenticationToken clientPrincipal =
|
||||
new OAuth2ClientAuthenticationToken(TestRegisteredClients.registeredClient().build());
|
||||
|
||||
@Test
|
||||
public void constructorWhenClientPrincipalNullThenThrowIllegalArgumentException() {
|
||||
assertThatThrownBy(() -> new OAuth2ClientCredentialsAuthenticationToken(null))
|
||||
.isInstanceOf(IllegalArgumentException.class)
|
||||
.hasMessage("clientPrincipal cannot be null");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void constructorWhenScopesNullThenThrowIllegalArgumentException() {
|
||||
assertThatThrownBy(() -> new OAuth2ClientCredentialsAuthenticationToken(clientPrincipal, null))
|
||||
.isInstanceOf(IllegalArgumentException.class)
|
||||
.hasMessage("scopes cannot be null");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void constructorWhenClientPrincipalProvidedThenCreated() {
|
||||
OAuth2ClientCredentialsAuthenticationToken authentication
|
||||
= new OAuth2ClientCredentialsAuthenticationToken(clientPrincipal);
|
||||
|
||||
assertThat(authentication.getPrincipal()).isEqualTo(this.clientPrincipal);
|
||||
assertThat(authentication.getCredentials().toString()).isEmpty();
|
||||
assertThat(authentication.getScopes()).isEmpty();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void constructorWhenScopesProvidedThenCreated() {
|
||||
Set<String> expectedScopes = Collections.singleton("test-scope");
|
||||
|
||||
OAuth2ClientCredentialsAuthenticationToken authentication
|
||||
= new OAuth2ClientCredentialsAuthenticationToken(clientPrincipal, expectedScopes);
|
||||
|
||||
assertThat(authentication.getPrincipal()).isEqualTo(this.clientPrincipal);
|
||||
assertThat(authentication.getCredentials().toString()).isEmpty();
|
||||
assertThat(authentication.getScopes()).containsAll(expectedScopes);
|
||||
}
|
||||
|
||||
}
|
||||
|
|
@ -0,0 +1,96 @@
|
|||
/*
|
||||
* Copyright 2020 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.security.oauth2.server.authorization.web;
|
||||
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import java.util.Collections;
|
||||
import java.util.Map;
|
||||
|
||||
import org.junit.Before;
|
||||
import org.junit.Test;
|
||||
|
||||
import org.springframework.core.convert.converter.Converter;
|
||||
import org.springframework.mock.web.MockHttpServletRequest;
|
||||
import org.springframework.mock.web.MockServletContext;
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.oauth2.core.AuthorizationGrantType;
|
||||
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationToken;
|
||||
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.mockito.Mockito.mock;
|
||||
import static org.mockito.Mockito.verify;
|
||||
import static org.mockito.Mockito.verifyNoInteractions;
|
||||
import static org.mockito.Mockito.when;
|
||||
|
||||
/**
|
||||
* @author Alexey Nesterov
|
||||
*/
|
||||
public class DelegatingAuthorizationGrantAuthenticationConverterTests {
|
||||
|
||||
private DelegatingAuthorizationGrantAuthenticationConverter authenticationConverter;
|
||||
private Converter<HttpServletRequest, Authentication> clientCredentialsConverterMock;
|
||||
|
||||
@Before
|
||||
public void setUp() {
|
||||
clientCredentialsConverterMock = mock(Converter.class);
|
||||
Map<AuthorizationGrantType, Converter<HttpServletRequest, Authentication>> converters
|
||||
= Collections.singletonMap(AuthorizationGrantType.CLIENT_CREDENTIALS, clientCredentialsConverterMock);
|
||||
authenticationConverter = new DelegatingAuthorizationGrantAuthenticationConverter(converters);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void convertWhenAuthorizationGrantTypeSupportedThenConverterCalled() {
|
||||
MockHttpServletRequest request = MockMvcRequestBuilders
|
||||
.post("/oauth/token")
|
||||
.param("grant_type", "client_credentials")
|
||||
.buildRequest(new MockServletContext());
|
||||
|
||||
OAuth2ClientAuthenticationToken expectedAuthentication = new OAuth2ClientAuthenticationToken("id", "secret");
|
||||
when(clientCredentialsConverterMock.convert(request)).thenReturn(expectedAuthentication);
|
||||
|
||||
Authentication actualAuthentication = authenticationConverter.convert(request);
|
||||
|
||||
verify(clientCredentialsConverterMock).convert(request);
|
||||
assertThat(actualAuthentication).isEqualTo(expectedAuthentication);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void convertWhenAuthorizationGrantTypeNotSupportedThenNull() {
|
||||
MockHttpServletRequest request = MockMvcRequestBuilders
|
||||
.post("/oauth/token")
|
||||
.param("grant_type", "authorization_code")
|
||||
.buildRequest(new MockServletContext());
|
||||
|
||||
Authentication actualAuthentication = authenticationConverter.convert(request);
|
||||
|
||||
verifyNoInteractions(clientCredentialsConverterMock);
|
||||
assertThat(actualAuthentication).isNull();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void convertWhenNoAuthorizationGrantTypeThenNull() {
|
||||
MockHttpServletRequest request = MockMvcRequestBuilders
|
||||
.post("/oauth/token")
|
||||
.buildRequest(new MockServletContext());
|
||||
|
||||
Authentication actualAuthentication = authenticationConverter.convert(request);
|
||||
|
||||
verifyNoInteractions(clientCredentialsConverterMock);
|
||||
assertThat(actualAuthentication).isNull();
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,119 @@
|
|||
/*
|
||||
* Copyright 2020 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.security.oauth2.server.authorization.web;
|
||||
|
||||
import org.junit.Before;
|
||||
import org.junit.BeforeClass;
|
||||
import org.junit.Rule;
|
||||
import org.junit.Test;
|
||||
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.context.annotation.Bean;
|
||||
import org.springframework.context.annotation.Import;
|
||||
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
||||
import org.springframework.security.config.annotation.web.configuration.oauth2.server.authorization.OAuth2AuthorizationServerConfiguration;
|
||||
import org.springframework.security.config.test.SpringTestRule;
|
||||
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
|
||||
import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
|
||||
import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
|
||||
import org.springframework.security.oauth2.server.authorization.client.TestRegisteredClients;
|
||||
import org.springframework.test.web.servlet.MockMvc;
|
||||
|
||||
import static org.hamcrest.CoreMatchers.endsWith;
|
||||
import static org.mockito.Mockito.mock;
|
||||
import static org.mockito.Mockito.reset;
|
||||
import static org.mockito.Mockito.when;
|
||||
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
|
||||
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.httpBasic;
|
||||
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
|
||||
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.header;
|
||||
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
|
||||
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
|
||||
|
||||
/**
|
||||
* @author Alexey Nesterov
|
||||
*/
|
||||
public class OAuth2ClientCredentialsGrantTests {
|
||||
|
||||
private static RegisteredClientRepository registeredClientRepository;
|
||||
private static OAuth2AuthorizationService authorizationService;
|
||||
|
||||
@Rule
|
||||
public final SpringTestRule spring = new SpringTestRule();
|
||||
|
||||
@Autowired
|
||||
private MockMvc mvc;
|
||||
|
||||
@BeforeClass
|
||||
public static void init() {
|
||||
registeredClientRepository = mock(RegisteredClientRepository.class);
|
||||
authorizationService = mock(OAuth2AuthorizationService.class);
|
||||
}
|
||||
|
||||
@Before
|
||||
public void setup() {
|
||||
reset(registeredClientRepository);
|
||||
reset(authorizationService);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void requestWhenTokenRequestAuthenticatedThenThenReturnTokenAndScope() throws Exception {
|
||||
this.spring.register(AuthorizationServerConfiguration.class).autowire();
|
||||
RegisteredClient client = TestRegisteredClients.registeredClient().build();
|
||||
when(registeredClientRepository.findByClientId(client.getClientId()))
|
||||
.thenReturn(client);
|
||||
|
||||
this.mvc.perform(post(OAuth2TokenEndpointFilter.DEFAULT_TOKEN_ENDPOINT_URI)
|
||||
.with(httpBasic(client.getClientId(), client.getClientSecret()))
|
||||
.with(csrf())
|
||||
.param("grant_type", "client_credentials")
|
||||
.param("scope", "email openid"))
|
||||
.andExpect(status().isOk())
|
||||
.andExpect(jsonPath("$.access_token").isNotEmpty())
|
||||
.andExpect(jsonPath("$.scope").value("openid email"));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void requestWhenTokenRequestNotAuthenticatedThenRedirect() throws Exception {
|
||||
this.spring.register(AuthorizationServerConfiguration.class).autowire();
|
||||
RegisteredClient client = TestRegisteredClients.registeredClient().build();
|
||||
when(registeredClientRepository.findByClientId(client.getClientId()))
|
||||
.thenReturn(client);
|
||||
|
||||
this.mvc.perform(post(OAuth2TokenEndpointFilter.DEFAULT_TOKEN_ENDPOINT_URI)
|
||||
.with(csrf())
|
||||
.param("grant_type", "client_credentials")
|
||||
.param("scope", "email openid"))
|
||||
.andExpect(status().isFound())
|
||||
.andExpect(header().string("Location", endsWith("/login")));
|
||||
}
|
||||
|
||||
@EnableWebSecurity
|
||||
@Import(OAuth2AuthorizationServerConfiguration.class)
|
||||
static class AuthorizationServerConfiguration {
|
||||
|
||||
@Bean
|
||||
RegisteredClientRepository registeredClientRepository() {
|
||||
return registeredClientRepository;
|
||||
}
|
||||
|
||||
@Bean
|
||||
OAuth2AuthorizationService authorizationService() {
|
||||
return authorizationService;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -19,6 +19,7 @@ import org.junit.After;
|
|||
import org.junit.Before;
|
||||
import org.junit.Test;
|
||||
import org.mockito.ArgumentCaptor;
|
||||
|
||||
import org.springframework.http.HttpStatus;
|
||||
import org.springframework.http.converter.HttpMessageConverter;
|
||||
import org.springframework.mock.http.client.MockClientHttpResponse;
|
||||
|
|
@ -40,12 +41,15 @@ import org.springframework.security.oauth2.server.authorization.OAuth2Authorizat
|
|||
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AccessTokenAuthenticationToken;
|
||||
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeAuthenticationToken;
|
||||
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationToken;
|
||||
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientCredentialsAuthenticationToken;
|
||||
import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
|
||||
import org.springframework.security.oauth2.server.authorization.client.TestRegisteredClients;
|
||||
|
||||
import javax.servlet.FilterChain;
|
||||
import javax.servlet.ServletException;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
import java.io.IOException;
|
||||
import java.time.Duration;
|
||||
import java.time.Instant;
|
||||
import java.util.Arrays;
|
||||
|
|
@ -237,6 +241,69 @@ public class OAuth2TokenEndpointFilterTests {
|
|||
assertThat(accessTokenResult.getScopes()).isEqualTo(accessToken.getScopes());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void doFilterWhenGrantTypeIsClientCredentialsThenAuthenticateWithClientCredentialsToken() throws ServletException, IOException {
|
||||
RegisteredClient registeredClient = TestRegisteredClients.registeredClient().build();
|
||||
doFilterForClientCredentialsGrant(registeredClient, null);
|
||||
|
||||
ArgumentCaptor<Authentication> captor = ArgumentCaptor.forClass(Authentication.class);
|
||||
verify(this.authenticationManager).authenticate(captor.capture());
|
||||
|
||||
assertThat(captor.getValue()).isInstanceOf(OAuth2ClientCredentialsAuthenticationToken.class);
|
||||
OAuth2ClientCredentialsAuthenticationToken clientAuthenticationToken = (OAuth2ClientCredentialsAuthenticationToken) captor.getValue();
|
||||
|
||||
assertThat(clientAuthenticationToken.getPrincipal()).isEqualTo(new OAuth2ClientAuthenticationToken(registeredClient));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void doFilterWhenGrantTypeIsClientCredentialsWithScopeThenIncludeScopeInResponse() throws ServletException, IOException {
|
||||
RegisteredClient registeredClient = TestRegisteredClients.registeredClient().build();
|
||||
doFilterForClientCredentialsGrant(registeredClient, "openid email");
|
||||
|
||||
ArgumentCaptor<Authentication> captor = ArgumentCaptor.forClass(Authentication.class);
|
||||
verify(this.authenticationManager).authenticate(captor.capture());
|
||||
|
||||
assertThat(captor.getValue()).isInstanceOf(OAuth2ClientCredentialsAuthenticationToken.class);
|
||||
OAuth2ClientCredentialsAuthenticationToken clientAuthenticationToken = (OAuth2ClientCredentialsAuthenticationToken) captor.getValue();
|
||||
|
||||
HashSet<String> expectedScopes = new HashSet<>();
|
||||
expectedScopes.add("openid");
|
||||
expectedScopes.add("email");
|
||||
|
||||
assertThat(clientAuthenticationToken.getScopes()).isEqualTo(expectedScopes);
|
||||
}
|
||||
|
||||
private void doFilterForClientCredentialsGrant(RegisteredClient registeredClient, String scope) throws ServletException, IOException {
|
||||
Authentication clientPrincipal = new OAuth2ClientAuthenticationToken(registeredClient);
|
||||
OAuth2AccessToken accessToken = new OAuth2AccessToken(
|
||||
OAuth2AccessToken.TokenType.BEARER, "token",
|
||||
Instant.now(), Instant.now().plus(Duration.ofHours(1)),
|
||||
new HashSet<>(Arrays.asList("scope1", "scope2")));
|
||||
OAuth2AccessTokenAuthenticationToken accessTokenAuthentication =
|
||||
new OAuth2AccessTokenAuthenticationToken(
|
||||
registeredClient, clientPrincipal, accessToken);
|
||||
final String clientId = registeredClient.getClientId();
|
||||
final String clientSecret = registeredClient.getClientSecret();
|
||||
|
||||
MockHttpServletRequest request = new MockHttpServletRequest("POST", OAuth2TokenEndpointFilter.DEFAULT_TOKEN_ENDPOINT_URI);
|
||||
request.setServletPath(OAuth2TokenEndpointFilter.DEFAULT_TOKEN_ENDPOINT_URI);
|
||||
request.addParameter("client_id", clientId);
|
||||
request.addParameter("client_secret", clientSecret);
|
||||
request.addParameter("grant_type", AuthorizationGrantType.CLIENT_CREDENTIALS.getValue());
|
||||
if (scope != null) {
|
||||
request.addParameter("scope", scope);
|
||||
}
|
||||
|
||||
when(this.authenticationManager.authenticate(any())).thenReturn(accessTokenAuthentication);
|
||||
|
||||
SecurityContext context = SecurityContextHolder.createEmptyContext();
|
||||
context.setAuthentication(new OAuth2ClientAuthenticationToken(registeredClient));
|
||||
SecurityContextHolder.setContext(context);
|
||||
|
||||
MockHttpServletResponse response = new MockHttpServletResponse();
|
||||
filter.doFilter(request, response, mock(FilterChain.class));
|
||||
}
|
||||
|
||||
private void doFilterWhenTokenRequestInvalidParameterThenError(String parameterName, String errorCode,
|
||||
Consumer<MockHttpServletRequest> requestConsumer) throws Exception {
|
||||
|
||||
|
|
|
|||
|
|
@ -14,5 +14,6 @@ dependencyManagement {
|
|||
dependency 'org.mockito:mockito-core:latest.release'
|
||||
dependency "com.squareup.okhttp3:mockwebserver:3.+"
|
||||
dependency "com.squareup.okhttp3:okhttp:3.+"
|
||||
dependency "com.jayway.jsonpath:json-path:2.+"
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user