Add client_credentials grant type support

Closes gh-51
This commit is contained in:
Alexey Nesterov 2020-06-11 14:54:01 +01:00 committed by Joe Grandja
parent 88911641af
commit c40aec2eb4
12 changed files with 743 additions and 5 deletions

View File

@ -26,6 +26,7 @@ import org.springframework.security.oauth2.server.authorization.InMemoryOAuth2Au
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService; import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeAuthenticationProvider; import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeAuthenticationProvider;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationProvider; import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationProvider;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientCredentialsAuthenticationProvider;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository; import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
import org.springframework.security.oauth2.server.authorization.web.OAuth2AuthorizationEndpointFilter; import org.springframework.security.oauth2.server.authorization.web.OAuth2AuthorizationEndpointFilter;
import org.springframework.security.oauth2.server.authorization.web.OAuth2ClientAuthenticationFilter; import org.springframework.security.oauth2.server.authorization.web.OAuth2ClientAuthenticationFilter;
@ -88,7 +89,12 @@ public final class OAuth2AuthorizationServerConfigurer<B extends HttpSecurityBui
new OAuth2AuthorizationCodeAuthenticationProvider( new OAuth2AuthorizationCodeAuthenticationProvider(
getRegisteredClientRepository(builder), getRegisteredClientRepository(builder),
getAuthorizationService(builder)); getAuthorizationService(builder));
OAuth2ClientCredentialsAuthenticationProvider clientCredentialsAuthenticationProvider
= new OAuth2ClientCredentialsAuthenticationProvider();
builder.authenticationProvider(postProcess(authorizationCodeAuthenticationProvider)); builder.authenticationProvider(postProcess(authorizationCodeAuthenticationProvider));
builder.authenticationProvider(postProcess(clientCredentialsAuthenticationProvider));
} }
@Override @Override

View File

@ -17,6 +17,7 @@ dependencies {
testCompile 'org.assertj:assertj-core' testCompile 'org.assertj:assertj-core'
testCompile 'org.mockito:mockito-core' testCompile 'org.mockito:mockito-core'
testCompile 'com.squareup.okhttp3:mockwebserver' testCompile 'com.squareup.okhttp3:mockwebserver'
testCompile 'com.jayway.jsonpath:json-path'
provided 'javax.servlet:javax.servlet-api' provided 'javax.servlet:javax.servlet-api'
} }

View File

@ -0,0 +1,85 @@
/*
* Copyright 2020 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.oauth2.server.authorization.authentication;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.util.Base64;
import java.util.Set;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.crypto.keygen.Base64StringKeyGenerator;
import org.springframework.security.crypto.keygen.StringKeyGenerator;
import org.springframework.security.oauth2.core.OAuth2AccessToken;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
/**
* An {@link AuthenticationProvider} implementation for the OAuth 2.0 Client Credentials Grant.
*
* @author Alexey Nesterov
* @since 0.0.1
* @see OAuth2ClientCredentialsAuthenticationToken
* @see <a target="_blank" href="https://tools.ietf.org/html/rfc6749#section-4.4">Section 4.4 Client Credentials Grant</a>
* @see <a target="_blank" href="https://tools.ietf.org/html/rfc6749#section-4.4.2">Section 4.4.2 Access Token Request</a>
*/
public class OAuth2ClientCredentialsAuthenticationProvider implements AuthenticationProvider {
private final StringKeyGenerator accessTokenGenerator = new Base64StringKeyGenerator(Base64.getUrlEncoder());
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
OAuth2ClientCredentialsAuthenticationToken clientCredentialsAuthenticationToken =
(OAuth2ClientCredentialsAuthenticationToken) authentication;
OAuth2ClientAuthenticationToken clientPrincipal = null;
if (OAuth2ClientAuthenticationToken.class.isAssignableFrom(clientCredentialsAuthenticationToken.getPrincipal().getClass())) {
clientPrincipal = (OAuth2ClientAuthenticationToken) clientCredentialsAuthenticationToken.getPrincipal();
}
if (clientPrincipal == null || !clientPrincipal.isAuthenticated()) {
throw new OAuth2AuthenticationException(new OAuth2Error(OAuth2ErrorCodes.INVALID_CLIENT));
}
Set<String> clientScopes = clientPrincipal.getRegisteredClient().getScopes();
Set<String> requestedScopes = clientCredentialsAuthenticationToken.getScopes();
if (!clientScopes.containsAll(requestedScopes)) {
throw new OAuth2AuthenticationException(new OAuth2Error(OAuth2ErrorCodes.INVALID_SCOPE));
}
if (requestedScopes == null || requestedScopes.isEmpty()) {
requestedScopes = clientScopes;
}
String tokenValue = this.accessTokenGenerator.generateKey();
Instant issuedAt = Instant.now();
Instant expiresAt = issuedAt.plus(1, ChronoUnit.HOURS); // TODO Allow configuration for access token lifespan
OAuth2AccessToken accessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER,
tokenValue, issuedAt, expiresAt, requestedScopes);
return new OAuth2AccessTokenAuthenticationToken(
clientPrincipal.getRegisteredClient(), clientPrincipal, accessToken);
}
@Override
public boolean supports(Class<?> authentication) {
return OAuth2ClientCredentialsAuthenticationToken.class.isAssignableFrom(authentication);
}
}

View File

@ -0,0 +1,68 @@
/*
* Copyright 2020 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.oauth2.server.authorization.authentication;
import java.util.Collections;
import java.util.Set;
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.oauth2.server.authorization.Version;
import org.springframework.util.Assert;
/**
* An {@link Authentication} implementation used for the OAuth 2.0 Client Credentials Grant.
*
* @author Alexey Nesterov
* @since 0.0.1
* @see Authentication
* @see OAuth2ClientCredentialsAuthenticationProvider
*/
public class OAuth2ClientCredentialsAuthenticationToken extends AbstractAuthenticationToken {
private static final long serialVersionUID = Version.SERIAL_VERSION_UID;
private final Authentication clientPrincipal;
private final Set<String> scopes;
public OAuth2ClientCredentialsAuthenticationToken(Authentication clientPrincipal, Set<String> scopes) {
super(Collections.emptyList());
Assert.notNull(clientPrincipal, "clientPrincipal cannot be null");
Assert.notNull(scopes, "scopes cannot be null");
this.clientPrincipal = clientPrincipal;
this.scopes = scopes;
}
@SuppressWarnings("unchecked")
public OAuth2ClientCredentialsAuthenticationToken(OAuth2ClientAuthenticationToken clientPrincipal) {
this(clientPrincipal, Collections.EMPTY_SET);
}
@Override
public Object getCredentials() {
return "";
}
@Override
public Object getPrincipal() {
return this.clientPrincipal;
}
public Set<String> getScopes() {
return this.scopes;
}
}

View File

@ -0,0 +1,61 @@
/*
* Copyright 2020 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.oauth2.server.authorization.web;
import javax.servlet.http.HttpServletRequest;
import java.util.Collections;
import java.util.Map;
import org.springframework.core.convert.converter.Converter;
import org.springframework.security.core.Authentication;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;
/**
* A {@link Converter} that delegates actual conversion to one of the provided converters based on grant_type param of a request.
* Returns null is grant type is not specified or not supported.
*
* @author Alexey Nesterov
* @since 0.0.1
*/
public final class DelegatingAuthorizationGrantAuthenticationConverter implements Converter<HttpServletRequest, Authentication> {
private final Map<AuthorizationGrantType, Converter<HttpServletRequest, Authentication>> converters;
public DelegatingAuthorizationGrantAuthenticationConverter(Map<AuthorizationGrantType, Converter<HttpServletRequest, Authentication>> converters) {
Assert.notEmpty(converters, "converters cannot be empty");
this.converters = Collections.unmodifiableMap(converters);
}
@Override
public Authentication convert(HttpServletRequest request) {
String grantType = request.getParameter(OAuth2ParameterNames.GRANT_TYPE);
if (StringUtils.isEmpty(grantType)) {
return null;
}
Converter<HttpServletRequest, Authentication> converter = this.converters.get(new AuthorizationGrantType(grantType));
if (converter == null) {
return null;
}
return converter.convert(request);
}
}

View File

@ -35,6 +35,8 @@ import org.springframework.security.oauth2.core.http.converter.OAuth2ErrorHttpMe
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService; import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AccessTokenAuthenticationToken; import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AccessTokenAuthenticationToken;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeAuthenticationToken; import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeAuthenticationToken;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationToken;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientCredentialsAuthenticationToken;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.util.Assert; import org.springframework.util.Assert;
@ -48,6 +50,11 @@ import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServletResponse;
import java.io.IOException; import java.io.IOException;
import java.time.temporal.ChronoUnit; import java.time.temporal.ChronoUnit;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
/** /**
* A {@code Filter} for the OAuth 2.0 Authorization Code Grant, * A {@code Filter} for the OAuth 2.0 Authorization Code Grant,
@ -86,8 +93,8 @@ public class OAuth2TokenEndpointFilter extends OncePerRequestFilter {
private final AuthenticationManager authenticationManager; private final AuthenticationManager authenticationManager;
private final OAuth2AuthorizationService authorizationService; private final OAuth2AuthorizationService authorizationService;
private final RequestMatcher tokenEndpointMatcher; private final RequestMatcher tokenEndpointMatcher;
private final Converter<HttpServletRequest, Authentication> authorizationGrantAuthenticationConverter = private final Converter<HttpServletRequest, Authentication> authorizationGrantAuthenticationConverter;
new AuthorizationCodeAuthenticationConverter();
private final HttpMessageConverter<OAuth2AccessTokenResponse> accessTokenHttpResponseConverter = private final HttpMessageConverter<OAuth2AccessTokenResponse> accessTokenHttpResponseConverter =
new OAuth2AccessTokenResponseHttpMessageConverter(); new OAuth2AccessTokenResponseHttpMessageConverter();
private final HttpMessageConverter<OAuth2Error> errorHttpResponseConverter = private final HttpMessageConverter<OAuth2Error> errorHttpResponseConverter =
@ -119,6 +126,11 @@ public class OAuth2TokenEndpointFilter extends OncePerRequestFilter {
this.authenticationManager = authenticationManager; this.authenticationManager = authenticationManager;
this.authorizationService = authorizationService; this.authorizationService = authorizationService;
this.tokenEndpointMatcher = new AntPathRequestMatcher(tokenEndpointUri, HttpMethod.POST.name()); this.tokenEndpointMatcher = new AntPathRequestMatcher(tokenEndpointUri, HttpMethod.POST.name());
Map<AuthorizationGrantType, Converter<HttpServletRequest, Authentication>> converters = new HashMap<>();
converters.put(AuthorizationGrantType.AUTHORIZATION_CODE, new AuthorizationCodeAuthenticationConverter());
converters.put(AuthorizationGrantType.CLIENT_CREDENTIALS, new ClientCredentialsAuthenticationConverter());
this.authorizationGrantAuthenticationConverter = new DelegatingAuthorizationGrantAuthenticationConverter(converters);
} }
@Override @Override
@ -131,8 +143,16 @@ public class OAuth2TokenEndpointFilter extends OncePerRequestFilter {
} }
try { try {
Authentication authorizationGrantAuthentication = String[] grantTypes = request.getParameterValues(OAuth2ParameterNames.GRANT_TYPE);
this.authorizationGrantAuthenticationConverter.convert(request); if (grantTypes == null || grantTypes.length == 0) {
throwError(OAuth2ErrorCodes.INVALID_REQUEST, "grant_type");
}
Authentication authorizationGrantAuthentication = this.authorizationGrantAuthenticationConverter.convert(request);
if (authorizationGrantAuthentication == null) {
throwError(OAuth2ErrorCodes.UNSUPPORTED_GRANT_TYPE, "grant_type");
}
OAuth2AccessTokenAuthenticationToken accessTokenAuthentication = OAuth2AccessTokenAuthenticationToken accessTokenAuthentication =
(OAuth2AccessTokenAuthenticationToken) this.authenticationManager.authenticate(authorizationGrantAuthentication); (OAuth2AccessTokenAuthenticationToken) this.authenticationManager.authenticate(authorizationGrantAuthentication);
sendAccessTokenResponse(response, accessTokenAuthentication.getAccessToken()); sendAccessTokenResponse(response, accessTokenAuthentication.getAccessToken());
@ -161,7 +181,7 @@ public class OAuth2TokenEndpointFilter extends OncePerRequestFilter {
this.errorHttpResponseConverter.write(error, null, httpResponse); this.errorHttpResponseConverter.write(error, null, httpResponse);
} }
private static OAuth2AuthenticationException throwError(String errorCode, String parameterName) { private static void throwError(String errorCode, String parameterName) {
OAuth2Error error = new OAuth2Error(errorCode, "OAuth 2.0 Parameter: " + parameterName, OAuth2Error error = new OAuth2Error(errorCode, "OAuth 2.0 Parameter: " + parameterName,
"https://tools.ietf.org/html/rfc6749#section-5.2"); "https://tools.ietf.org/html/rfc6749#section-5.2");
throw new OAuth2AuthenticationException(error); throw new OAuth2AuthenticationException(error);
@ -214,4 +234,29 @@ public class OAuth2TokenEndpointFilter extends OncePerRequestFilter {
new OAuth2AuthorizationCodeAuthenticationToken(code, clientId, redirectUri); new OAuth2AuthorizationCodeAuthenticationToken(code, clientId, redirectUri);
} }
} }
private static class ClientCredentialsAuthenticationConverter implements Converter<HttpServletRequest, Authentication> {
@Override
public Authentication convert(HttpServletRequest request) {
final Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
final OAuth2ClientAuthenticationToken clientAuthenticationToken = (OAuth2ClientAuthenticationToken) authentication;
// grant_type (REQUIRED)
String grantType = request.getParameter(OAuth2ParameterNames.GRANT_TYPE);
if (!AuthorizationGrantType.CLIENT_CREDENTIALS.getValue().equals(grantType)) {
throwError(OAuth2ErrorCodes.UNSUPPORTED_GRANT_TYPE, OAuth2ParameterNames.GRANT_TYPE);
}
// scope (OPTIONAL)
// https://tools.ietf.org/html/rfc6749#section-4.4.2
String scopeParameter = request.getParameter(OAuth2ParameterNames.SCOPE);
if (StringUtils.isEmpty(scopeParameter)) {
return new OAuth2ClientCredentialsAuthenticationToken(clientAuthenticationToken);
}
Set<String> requestedScopes = new HashSet<>(Arrays.asList(StringUtils.delimitedListToStringArray(scopeParameter, " ")));
return new OAuth2ClientCredentialsAuthenticationToken(clientAuthenticationToken, requestedScopes);
}
}
} }

View File

@ -0,0 +1,116 @@
/*
* Copyright 2020 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.oauth2.server.authorization.authentication;
import java.util.Collections;
import org.junit.Before;
import org.junit.Test;
import org.springframework.security.core.Authentication;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
import org.springframework.security.oauth2.server.authorization.client.TestRegisteredClients;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatThrownBy;
/**
* @author Alexey Nesterov
*/
public class OAuth2ClientCredentialsAuthenticationProviderTests {
private static final RegisteredClient EXISTING_CLIENT = TestRegisteredClients.registeredClient().build();
private OAuth2ClientCredentialsAuthenticationProvider authenticationProvider;
@Before
public void setUp() {
this.authenticationProvider = new OAuth2ClientCredentialsAuthenticationProvider();
}
@Test
public void supportsWhenSupportedClassThenTrue() {
assertThat(this.authenticationProvider.supports(OAuth2ClientCredentialsAuthenticationToken.class)).isTrue();
}
@Test
public void supportsWhenUnsupportedClassThenFalse() {
assertThat(this.authenticationProvider.supports(OAuth2AuthorizationCodeAuthenticationProvider.class)).isFalse();
}
@Test
public void authenticateWhenValidAuthenticationThenReturnTokenWithClient() {
Authentication authentication = this.authenticationProvider.authenticate(getAuthentication());
assertThat(authentication).isInstanceOf(OAuth2AccessTokenAuthenticationToken.class);
OAuth2AccessTokenAuthenticationToken token = (OAuth2AccessTokenAuthenticationToken) authentication;
assertThat(token.getRegisteredClient()).isEqualTo(EXISTING_CLIENT);
}
@Test
public void authenticateWhenValidAuthenticationThenGenerateTokenValue() {
Authentication authentication = this.authenticationProvider.authenticate(getAuthentication());
OAuth2AccessTokenAuthenticationToken token = (OAuth2AccessTokenAuthenticationToken) authentication;
assertThat(token.getAccessToken().getTokenValue()).isNotBlank();
}
@Test
public void authenticateWhenValidateScopeThenReturnTokenWithScopes() {
Authentication authentication = this.authenticationProvider.authenticate(getAuthentication());
OAuth2AccessTokenAuthenticationToken token = (OAuth2AccessTokenAuthenticationToken) authentication;
assertThat(token.getAccessToken().getScopes()).containsAll(EXISTING_CLIENT.getScopes());
}
@Test
public void authenticateWhenNoScopeRequestedThenUseDefaultScopes() {
OAuth2ClientCredentialsAuthenticationToken authenticationToken = new OAuth2ClientCredentialsAuthenticationToken(new OAuth2ClientAuthenticationToken(EXISTING_CLIENT));
Authentication authentication = this.authenticationProvider.authenticate(authenticationToken);
OAuth2AccessTokenAuthenticationToken token = (OAuth2AccessTokenAuthenticationToken) authentication;
assertThat(token.getAccessToken().getScopes()).containsAll(EXISTING_CLIENT.getScopes());
}
@Test
public void authenticateWhenInvalidSecretThenThrowException() {
OAuth2ClientCredentialsAuthenticationToken authentication = new OAuth2ClientCredentialsAuthenticationToken(
new OAuth2ClientAuthenticationToken(EXISTING_CLIENT.getClientId(), "not-a-valid-secret"));
assertThatThrownBy(() -> this.authenticationProvider.authenticate(authentication))
.isInstanceOf(OAuth2AuthenticationException.class);
}
@Test
public void authenticateWhenNonExistingClientThenThrowException() {
OAuth2ClientCredentialsAuthenticationToken authentication = new OAuth2ClientCredentialsAuthenticationToken(
new OAuth2ClientAuthenticationToken("another-client-id", "another-secret"));
assertThatThrownBy(() -> this.authenticationProvider.authenticate(authentication))
.isInstanceOf(OAuth2AuthenticationException.class);
}
@Test
public void authenticateWhenInvalidScopesThenThrowException() {
OAuth2ClientCredentialsAuthenticationToken authentication = new OAuth2ClientCredentialsAuthenticationToken(
new OAuth2ClientAuthenticationToken(EXISTING_CLIENT), Collections.singleton("non-existing-scope"));
assertThatThrownBy(() -> this.authenticationProvider.authenticate(authentication))
.isInstanceOf(OAuth2AuthenticationException.class);
}
private OAuth2ClientCredentialsAuthenticationToken getAuthentication() {
return new OAuth2ClientCredentialsAuthenticationToken(new OAuth2ClientAuthenticationToken(EXISTING_CLIENT), EXISTING_CLIENT.getScopes());
}
}

View File

@ -0,0 +1,73 @@
/*
* Copyright 2020 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.oauth2.server.authorization.authentication;
import java.util.Collections;
import java.util.Set;
import org.junit.Test;
import org.springframework.security.oauth2.server.authorization.client.TestRegisteredClients;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatThrownBy;
/**
* @author Alexey Nesterov
*/
public class OAuth2ClientCredentialsAuthenticationTokenTests {
private final OAuth2ClientAuthenticationToken clientPrincipal =
new OAuth2ClientAuthenticationToken(TestRegisteredClients.registeredClient().build());
@Test
public void constructorWhenClientPrincipalNullThenThrowIllegalArgumentException() {
assertThatThrownBy(() -> new OAuth2ClientCredentialsAuthenticationToken(null))
.isInstanceOf(IllegalArgumentException.class)
.hasMessage("clientPrincipal cannot be null");
}
@Test
public void constructorWhenScopesNullThenThrowIllegalArgumentException() {
assertThatThrownBy(() -> new OAuth2ClientCredentialsAuthenticationToken(clientPrincipal, null))
.isInstanceOf(IllegalArgumentException.class)
.hasMessage("scopes cannot be null");
}
@Test
public void constructorWhenClientPrincipalProvidedThenCreated() {
OAuth2ClientCredentialsAuthenticationToken authentication
= new OAuth2ClientCredentialsAuthenticationToken(clientPrincipal);
assertThat(authentication.getPrincipal()).isEqualTo(this.clientPrincipal);
assertThat(authentication.getCredentials().toString()).isEmpty();
assertThat(authentication.getScopes()).isEmpty();
}
@Test
public void constructorWhenScopesProvidedThenCreated() {
Set<String> expectedScopes = Collections.singleton("test-scope");
OAuth2ClientCredentialsAuthenticationToken authentication
= new OAuth2ClientCredentialsAuthenticationToken(clientPrincipal, expectedScopes);
assertThat(authentication.getPrincipal()).isEqualTo(this.clientPrincipal);
assertThat(authentication.getCredentials().toString()).isEmpty();
assertThat(authentication.getScopes()).containsAll(expectedScopes);
}
}

View File

@ -0,0 +1,96 @@
/*
* Copyright 2020 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.oauth2.server.authorization.web;
import javax.servlet.http.HttpServletRequest;
import java.util.Collections;
import java.util.Map;
import org.junit.Before;
import org.junit.Test;
import org.springframework.core.convert.converter.Converter;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockServletContext;
import org.springframework.security.core.Authentication;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationToken;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import static org.assertj.core.api.Assertions.assertThat;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.verifyNoInteractions;
import static org.mockito.Mockito.when;
/**
* @author Alexey Nesterov
*/
public class DelegatingAuthorizationGrantAuthenticationConverterTests {
private DelegatingAuthorizationGrantAuthenticationConverter authenticationConverter;
private Converter<HttpServletRequest, Authentication> clientCredentialsConverterMock;
@Before
public void setUp() {
clientCredentialsConverterMock = mock(Converter.class);
Map<AuthorizationGrantType, Converter<HttpServletRequest, Authentication>> converters
= Collections.singletonMap(AuthorizationGrantType.CLIENT_CREDENTIALS, clientCredentialsConverterMock);
authenticationConverter = new DelegatingAuthorizationGrantAuthenticationConverter(converters);
}
@Test
public void convertWhenAuthorizationGrantTypeSupportedThenConverterCalled() {
MockHttpServletRequest request = MockMvcRequestBuilders
.post("/oauth/token")
.param("grant_type", "client_credentials")
.buildRequest(new MockServletContext());
OAuth2ClientAuthenticationToken expectedAuthentication = new OAuth2ClientAuthenticationToken("id", "secret");
when(clientCredentialsConverterMock.convert(request)).thenReturn(expectedAuthentication);
Authentication actualAuthentication = authenticationConverter.convert(request);
verify(clientCredentialsConverterMock).convert(request);
assertThat(actualAuthentication).isEqualTo(expectedAuthentication);
}
@Test
public void convertWhenAuthorizationGrantTypeNotSupportedThenNull() {
MockHttpServletRequest request = MockMvcRequestBuilders
.post("/oauth/token")
.param("grant_type", "authorization_code")
.buildRequest(new MockServletContext());
Authentication actualAuthentication = authenticationConverter.convert(request);
verifyNoInteractions(clientCredentialsConverterMock);
assertThat(actualAuthentication).isNull();
}
@Test
public void convertWhenNoAuthorizationGrantTypeThenNull() {
MockHttpServletRequest request = MockMvcRequestBuilders
.post("/oauth/token")
.buildRequest(new MockServletContext());
Authentication actualAuthentication = authenticationConverter.convert(request);
verifyNoInteractions(clientCredentialsConverterMock);
assertThat(actualAuthentication).isNull();
}
}

View File

@ -0,0 +1,119 @@
/*
* Copyright 2020 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.oauth2.server.authorization.web;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Rule;
import org.junit.Test;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Import;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.oauth2.server.authorization.OAuth2AuthorizationServerConfiguration;
import org.springframework.security.config.test.SpringTestRule;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
import org.springframework.security.oauth2.server.authorization.client.TestRegisteredClients;
import org.springframework.test.web.servlet.MockMvc;
import static org.hamcrest.CoreMatchers.endsWith;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.reset;
import static org.mockito.Mockito.when;
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.httpBasic;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.header;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
/**
* @author Alexey Nesterov
*/
public class OAuth2ClientCredentialsGrantTests {
private static RegisteredClientRepository registeredClientRepository;
private static OAuth2AuthorizationService authorizationService;
@Rule
public final SpringTestRule spring = new SpringTestRule();
@Autowired
private MockMvc mvc;
@BeforeClass
public static void init() {
registeredClientRepository = mock(RegisteredClientRepository.class);
authorizationService = mock(OAuth2AuthorizationService.class);
}
@Before
public void setup() {
reset(registeredClientRepository);
reset(authorizationService);
}
@Test
public void requestWhenTokenRequestAuthenticatedThenThenReturnTokenAndScope() throws Exception {
this.spring.register(AuthorizationServerConfiguration.class).autowire();
RegisteredClient client = TestRegisteredClients.registeredClient().build();
when(registeredClientRepository.findByClientId(client.getClientId()))
.thenReturn(client);
this.mvc.perform(post(OAuth2TokenEndpointFilter.DEFAULT_TOKEN_ENDPOINT_URI)
.with(httpBasic(client.getClientId(), client.getClientSecret()))
.with(csrf())
.param("grant_type", "client_credentials")
.param("scope", "email openid"))
.andExpect(status().isOk())
.andExpect(jsonPath("$.access_token").isNotEmpty())
.andExpect(jsonPath("$.scope").value("openid email"));
}
@Test
public void requestWhenTokenRequestNotAuthenticatedThenRedirect() throws Exception {
this.spring.register(AuthorizationServerConfiguration.class).autowire();
RegisteredClient client = TestRegisteredClients.registeredClient().build();
when(registeredClientRepository.findByClientId(client.getClientId()))
.thenReturn(client);
this.mvc.perform(post(OAuth2TokenEndpointFilter.DEFAULT_TOKEN_ENDPOINT_URI)
.with(csrf())
.param("grant_type", "client_credentials")
.param("scope", "email openid"))
.andExpect(status().isFound())
.andExpect(header().string("Location", endsWith("/login")));
}
@EnableWebSecurity
@Import(OAuth2AuthorizationServerConfiguration.class)
static class AuthorizationServerConfiguration {
@Bean
RegisteredClientRepository registeredClientRepository() {
return registeredClientRepository;
}
@Bean
OAuth2AuthorizationService authorizationService() {
return authorizationService;
}
}
}

View File

@ -19,6 +19,7 @@ import org.junit.After;
import org.junit.Before; import org.junit.Before;
import org.junit.Test; import org.junit.Test;
import org.mockito.ArgumentCaptor; import org.mockito.ArgumentCaptor;
import org.springframework.http.HttpStatus; import org.springframework.http.HttpStatus;
import org.springframework.http.converter.HttpMessageConverter; import org.springframework.http.converter.HttpMessageConverter;
import org.springframework.mock.http.client.MockClientHttpResponse; import org.springframework.mock.http.client.MockClientHttpResponse;
@ -40,12 +41,15 @@ import org.springframework.security.oauth2.server.authorization.OAuth2Authorizat
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AccessTokenAuthenticationToken; import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AccessTokenAuthenticationToken;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeAuthenticationToken; import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeAuthenticationToken;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationToken; import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationToken;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientCredentialsAuthenticationToken;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClient; import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
import org.springframework.security.oauth2.server.authorization.client.TestRegisteredClients; import org.springframework.security.oauth2.server.authorization.client.TestRegisteredClients;
import javax.servlet.FilterChain; import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.time.Duration; import java.time.Duration;
import java.time.Instant; import java.time.Instant;
import java.util.Arrays; import java.util.Arrays;
@ -237,6 +241,69 @@ public class OAuth2TokenEndpointFilterTests {
assertThat(accessTokenResult.getScopes()).isEqualTo(accessToken.getScopes()); assertThat(accessTokenResult.getScopes()).isEqualTo(accessToken.getScopes());
} }
@Test
public void doFilterWhenGrantTypeIsClientCredentialsThenAuthenticateWithClientCredentialsToken() throws ServletException, IOException {
RegisteredClient registeredClient = TestRegisteredClients.registeredClient().build();
doFilterForClientCredentialsGrant(registeredClient, null);
ArgumentCaptor<Authentication> captor = ArgumentCaptor.forClass(Authentication.class);
verify(this.authenticationManager).authenticate(captor.capture());
assertThat(captor.getValue()).isInstanceOf(OAuth2ClientCredentialsAuthenticationToken.class);
OAuth2ClientCredentialsAuthenticationToken clientAuthenticationToken = (OAuth2ClientCredentialsAuthenticationToken) captor.getValue();
assertThat(clientAuthenticationToken.getPrincipal()).isEqualTo(new OAuth2ClientAuthenticationToken(registeredClient));
}
@Test
public void doFilterWhenGrantTypeIsClientCredentialsWithScopeThenIncludeScopeInResponse() throws ServletException, IOException {
RegisteredClient registeredClient = TestRegisteredClients.registeredClient().build();
doFilterForClientCredentialsGrant(registeredClient, "openid email");
ArgumentCaptor<Authentication> captor = ArgumentCaptor.forClass(Authentication.class);
verify(this.authenticationManager).authenticate(captor.capture());
assertThat(captor.getValue()).isInstanceOf(OAuth2ClientCredentialsAuthenticationToken.class);
OAuth2ClientCredentialsAuthenticationToken clientAuthenticationToken = (OAuth2ClientCredentialsAuthenticationToken) captor.getValue();
HashSet<String> expectedScopes = new HashSet<>();
expectedScopes.add("openid");
expectedScopes.add("email");
assertThat(clientAuthenticationToken.getScopes()).isEqualTo(expectedScopes);
}
private void doFilterForClientCredentialsGrant(RegisteredClient registeredClient, String scope) throws ServletException, IOException {
Authentication clientPrincipal = new OAuth2ClientAuthenticationToken(registeredClient);
OAuth2AccessToken accessToken = new OAuth2AccessToken(
OAuth2AccessToken.TokenType.BEARER, "token",
Instant.now(), Instant.now().plus(Duration.ofHours(1)),
new HashSet<>(Arrays.asList("scope1", "scope2")));
OAuth2AccessTokenAuthenticationToken accessTokenAuthentication =
new OAuth2AccessTokenAuthenticationToken(
registeredClient, clientPrincipal, accessToken);
final String clientId = registeredClient.getClientId();
final String clientSecret = registeredClient.getClientSecret();
MockHttpServletRequest request = new MockHttpServletRequest("POST", OAuth2TokenEndpointFilter.DEFAULT_TOKEN_ENDPOINT_URI);
request.setServletPath(OAuth2TokenEndpointFilter.DEFAULT_TOKEN_ENDPOINT_URI);
request.addParameter("client_id", clientId);
request.addParameter("client_secret", clientSecret);
request.addParameter("grant_type", AuthorizationGrantType.CLIENT_CREDENTIALS.getValue());
if (scope != null) {
request.addParameter("scope", scope);
}
when(this.authenticationManager.authenticate(any())).thenReturn(accessTokenAuthentication);
SecurityContext context = SecurityContextHolder.createEmptyContext();
context.setAuthentication(new OAuth2ClientAuthenticationToken(registeredClient));
SecurityContextHolder.setContext(context);
MockHttpServletResponse response = new MockHttpServletResponse();
filter.doFilter(request, response, mock(FilterChain.class));
}
private void doFilterWhenTokenRequestInvalidParameterThenError(String parameterName, String errorCode, private void doFilterWhenTokenRequestInvalidParameterThenError(String parameterName, String errorCode,
Consumer<MockHttpServletRequest> requestConsumer) throws Exception { Consumer<MockHttpServletRequest> requestConsumer) throws Exception {

View File

@ -14,5 +14,6 @@ dependencyManagement {
dependency 'org.mockito:mockito-core:latest.release' dependency 'org.mockito:mockito-core:latest.release'
dependency "com.squareup.okhttp3:mockwebserver:3.+" dependency "com.squareup.okhttp3:mockwebserver:3.+"
dependency "com.squareup.okhttp3:okhttp:3.+" dependency "com.squareup.okhttp3:okhttp:3.+"
dependency "com.jayway.jsonpath:json-path:2.+"
} }
} }