Polish gh-88

This commit is contained in:
Joe Grandja 2020-07-10 09:16:19 -04:00
parent c40aec2eb4
commit ea828fb2bf
13 changed files with 430 additions and 295 deletions

View File

@ -19,9 +19,11 @@ import org.springframework.beans.factory.BeanFactoryUtils;
import org.springframework.beans.factory.NoUniqueBeanDefinitionException; import org.springframework.beans.factory.NoUniqueBeanDefinitionException;
import org.springframework.context.ApplicationContext; import org.springframework.context.ApplicationContext;
import org.springframework.http.HttpMethod; import org.springframework.http.HttpMethod;
import org.springframework.http.HttpStatus;
import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.web.HttpSecurityBuilder; import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer; import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
import org.springframework.security.config.annotation.web.configurers.ExceptionHandlingConfigurer;
import org.springframework.security.oauth2.server.authorization.InMemoryOAuth2AuthorizationService; import org.springframework.security.oauth2.server.authorization.InMemoryOAuth2AuthorizationService;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService; import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeAuthenticationProvider; import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeAuthenticationProvider;
@ -32,6 +34,7 @@ import org.springframework.security.oauth2.server.authorization.web.OAuth2Author
import org.springframework.security.oauth2.server.authorization.web.OAuth2ClientAuthenticationFilter; import org.springframework.security.oauth2.server.authorization.web.OAuth2ClientAuthenticationFilter;
import org.springframework.security.oauth2.server.authorization.web.OAuth2TokenEndpointFilter; import org.springframework.security.oauth2.server.authorization.web.OAuth2TokenEndpointFilter;
import org.springframework.security.web.access.intercept.FilterSecurityInterceptor; import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
import org.springframework.security.web.authentication.HttpStatusEntryPoint;
import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter; import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.util.Assert; import org.springframework.util.Assert;
@ -89,12 +92,22 @@ public final class OAuth2AuthorizationServerConfigurer<B extends HttpSecurityBui
new OAuth2AuthorizationCodeAuthenticationProvider( new OAuth2AuthorizationCodeAuthenticationProvider(
getRegisteredClientRepository(builder), getRegisteredClientRepository(builder),
getAuthorizationService(builder)); getAuthorizationService(builder));
OAuth2ClientCredentialsAuthenticationProvider clientCredentialsAuthenticationProvider
= new OAuth2ClientCredentialsAuthenticationProvider();
builder.authenticationProvider(postProcess(authorizationCodeAuthenticationProvider)); builder.authenticationProvider(postProcess(authorizationCodeAuthenticationProvider));
OAuth2ClientCredentialsAuthenticationProvider clientCredentialsAuthenticationProvider =
new OAuth2ClientCredentialsAuthenticationProvider(
getAuthorizationService(builder));
builder.authenticationProvider(postProcess(clientCredentialsAuthenticationProvider)); builder.authenticationProvider(postProcess(clientCredentialsAuthenticationProvider));
ExceptionHandlingConfigurer<B> exceptionHandling = builder.getConfigurer(ExceptionHandlingConfigurer.class);
if (exceptionHandling != null) {
// Register the default AuthenticationEntryPoint for the token endpoint
exceptionHandling.defaultAuthenticationEntryPointFor(
new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED),
new AntPathRequestMatcher(
OAuth2TokenEndpointFilter.DEFAULT_TOKEN_ENDPOINT_URI,
HttpMethod.POST.name()));
}
} }
@Override @Override

View File

@ -210,7 +210,6 @@ public class OAuth2Authorization implements Serializable {
*/ */
public OAuth2Authorization build() { public OAuth2Authorization build() {
Assert.hasText(this.principalName, "principalName cannot be empty"); Assert.hasText(this.principalName, "principalName cannot be empty");
Assert.notNull(this.attributes.get(OAuth2AuthorizationAttributeNames.CODE), "authorization code cannot be null");
OAuth2Authorization authorization = new OAuth2Authorization(); OAuth2Authorization authorization = new OAuth2Authorization();
authorization.registeredClientId = this.registeredClientId; authorization.registeredClientId = this.registeredClientId;

View File

@ -15,11 +15,6 @@
*/ */
package org.springframework.security.oauth2.server.authorization.authentication; package org.springframework.security.oauth2.server.authorization.authentication;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.util.Base64;
import java.util.Set;
import org.springframework.security.authentication.AuthenticationProvider; import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.core.Authentication; import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException; import org.springframework.security.core.AuthenticationException;
@ -29,6 +24,18 @@ import org.springframework.security.oauth2.core.OAuth2AccessToken;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException; import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2Error; import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2ErrorCodes; import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
import org.springframework.util.Assert;
import org.springframework.util.CollectionUtils;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.util.Base64;
import java.util.LinkedHashSet;
import java.util.Set;
import java.util.stream.Collectors;
/** /**
* An {@link AuthenticationProvider} implementation for the OAuth 2.0 Client Credentials Grant. * An {@link AuthenticationProvider} implementation for the OAuth 2.0 Client Credentials Grant.
@ -36,46 +43,63 @@ import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
* @author Alexey Nesterov * @author Alexey Nesterov
* @since 0.0.1 * @since 0.0.1
* @see OAuth2ClientCredentialsAuthenticationToken * @see OAuth2ClientCredentialsAuthenticationToken
* @see OAuth2AccessTokenAuthenticationToken
* @see OAuth2AuthorizationService
* @see <a target="_blank" href="https://tools.ietf.org/html/rfc6749#section-4.4">Section 4.4 Client Credentials Grant</a> * @see <a target="_blank" href="https://tools.ietf.org/html/rfc6749#section-4.4">Section 4.4 Client Credentials Grant</a>
* @see <a target="_blank" href="https://tools.ietf.org/html/rfc6749#section-4.4.2">Section 4.4.2 Access Token Request</a> * @see <a target="_blank" href="https://tools.ietf.org/html/rfc6749#section-4.4.2">Section 4.4.2 Access Token Request</a>
*/ */
public class OAuth2ClientCredentialsAuthenticationProvider implements AuthenticationProvider { public class OAuth2ClientCredentialsAuthenticationProvider implements AuthenticationProvider {
private final OAuth2AuthorizationService authorizationService;
private final StringKeyGenerator accessTokenGenerator = new Base64StringKeyGenerator(Base64.getUrlEncoder()); private final StringKeyGenerator accessTokenGenerator = new Base64StringKeyGenerator(Base64.getUrlEncoder());
/**
* Constructs an {@code OAuth2ClientCredentialsAuthenticationProvider} using the provided parameters.
*
* @param authorizationService the authorization service
*/
public OAuth2ClientCredentialsAuthenticationProvider(OAuth2AuthorizationService authorizationService) {
Assert.notNull(authorizationService, "authorizationService cannot be null");
this.authorizationService = authorizationService;
}
@Override @Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException { public Authentication authenticate(Authentication authentication) throws AuthenticationException {
OAuth2ClientCredentialsAuthenticationToken clientCredentialsAuthenticationToken = OAuth2ClientCredentialsAuthenticationToken clientCredentialsAuthentication =
(OAuth2ClientCredentialsAuthenticationToken) authentication; (OAuth2ClientCredentialsAuthenticationToken) authentication;
OAuth2ClientAuthenticationToken clientPrincipal = null; OAuth2ClientAuthenticationToken clientPrincipal = null;
if (OAuth2ClientAuthenticationToken.class.isAssignableFrom(clientCredentialsAuthenticationToken.getPrincipal().getClass())) { if (OAuth2ClientAuthenticationToken.class.isAssignableFrom(clientCredentialsAuthentication.getPrincipal().getClass())) {
clientPrincipal = (OAuth2ClientAuthenticationToken) clientCredentialsAuthenticationToken.getPrincipal(); clientPrincipal = (OAuth2ClientAuthenticationToken) clientCredentialsAuthentication.getPrincipal();
} }
if (clientPrincipal == null || !clientPrincipal.isAuthenticated()) { if (clientPrincipal == null || !clientPrincipal.isAuthenticated()) {
throw new OAuth2AuthenticationException(new OAuth2Error(OAuth2ErrorCodes.INVALID_CLIENT)); throw new OAuth2AuthenticationException(new OAuth2Error(OAuth2ErrorCodes.INVALID_CLIENT));
} }
RegisteredClient registeredClient = clientPrincipal.getRegisteredClient();
Set<String> clientScopes = clientPrincipal.getRegisteredClient().getScopes(); Set<String> scopes = registeredClient.getScopes(); // Default to configured scopes
Set<String> requestedScopes = clientCredentialsAuthenticationToken.getScopes(); if (!CollectionUtils.isEmpty(clientCredentialsAuthentication.getScopes())) {
if (!clientScopes.containsAll(requestedScopes)) { Set<String> unauthorizedScopes = clientCredentialsAuthentication.getScopes().stream()
throw new OAuth2AuthenticationException(new OAuth2Error(OAuth2ErrorCodes.INVALID_SCOPE)); .filter(requestedScope -> !registeredClient.getScopes().contains(requestedScope))
} .collect(Collectors.toSet());
if (!CollectionUtils.isEmpty(unauthorizedScopes)) {
if (requestedScopes == null || requestedScopes.isEmpty()) { throw new OAuth2AuthenticationException(new OAuth2Error(OAuth2ErrorCodes.INVALID_SCOPE));
requestedScopes = clientScopes; }
scopes = new LinkedHashSet<>(clientCredentialsAuthentication.getScopes());
} }
String tokenValue = this.accessTokenGenerator.generateKey(); String tokenValue = this.accessTokenGenerator.generateKey();
Instant issuedAt = Instant.now(); Instant issuedAt = Instant.now();
Instant expiresAt = issuedAt.plus(1, ChronoUnit.HOURS); // TODO Allow configuration for access token lifespan Instant expiresAt = issuedAt.plus(1, ChronoUnit.HOURS); // TODO Allow configuration for access token lifespan
OAuth2AccessToken accessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER, OAuth2AccessToken accessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER,
tokenValue, issuedAt, expiresAt, requestedScopes); tokenValue, issuedAt, expiresAt, scopes);
return new OAuth2AccessTokenAuthenticationToken( OAuth2Authorization authorization = OAuth2Authorization.withRegisteredClient(registeredClient)
clientPrincipal.getRegisteredClient(), clientPrincipal, accessToken); .principalName(clientPrincipal.getName())
.accessToken(accessToken)
.build();
this.authorizationService.save(authorization);
return new OAuth2AccessTokenAuthenticationToken(registeredClient, clientPrincipal, accessToken);
} }
@Override @Override

View File

@ -13,48 +13,52 @@
* See the License for the specific language governing permissions and * See the License for the specific language governing permissions and
* limitations under the License. * limitations under the License.
*/ */
package org.springframework.security.oauth2.server.authorization.authentication; package org.springframework.security.oauth2.server.authorization.authentication;
import java.util.Collections;
import java.util.Set;
import org.springframework.security.authentication.AbstractAuthenticationToken; import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.core.Authentication; import org.springframework.security.core.Authentication;
import org.springframework.security.oauth2.server.authorization.Version; import org.springframework.security.oauth2.server.authorization.Version;
import org.springframework.util.Assert; import org.springframework.util.Assert;
import java.util.Collections;
import java.util.LinkedHashSet;
import java.util.Set;
/** /**
* An {@link Authentication} implementation used for the OAuth 2.0 Client Credentials Grant. * An {@link Authentication} implementation used for the OAuth 2.0 Client Credentials Grant.
* *
* @author Alexey Nesterov * @author Alexey Nesterov
* @since 0.0.1 * @since 0.0.1
* @see Authentication * @see AbstractAuthenticationToken
* @see OAuth2ClientCredentialsAuthenticationProvider * @see OAuth2ClientCredentialsAuthenticationProvider
* @see OAuth2ClientAuthenticationToken
*/ */
public class OAuth2ClientCredentialsAuthenticationToken extends AbstractAuthenticationToken { public class OAuth2ClientCredentialsAuthenticationToken extends AbstractAuthenticationToken {
private static final long serialVersionUID = Version.SERIAL_VERSION_UID; private static final long serialVersionUID = Version.SERIAL_VERSION_UID;
private final Authentication clientPrincipal; private final Authentication clientPrincipal;
private final Set<String> scopes; private final Set<String> scopes;
/**
* Constructs an {@code OAuth2ClientCredentialsAuthenticationToken} using the provided parameters.
*
* @param clientPrincipal the authenticated client principal
*/
public OAuth2ClientCredentialsAuthenticationToken(Authentication clientPrincipal) {
this(clientPrincipal, Collections.emptySet());
}
/**
* Constructs an {@code OAuth2ClientCredentialsAuthenticationToken} using the provided parameters.
*
* @param clientPrincipal the authenticated client principal
* @param scopes the requested scope(s)
*/
public OAuth2ClientCredentialsAuthenticationToken(Authentication clientPrincipal, Set<String> scopes) { public OAuth2ClientCredentialsAuthenticationToken(Authentication clientPrincipal, Set<String> scopes) {
super(Collections.emptyList()); super(Collections.emptyList());
Assert.notNull(clientPrincipal, "clientPrincipal cannot be null"); Assert.notNull(clientPrincipal, "clientPrincipal cannot be null");
Assert.notNull(scopes, "scopes cannot be null"); Assert.notNull(scopes, "scopes cannot be null");
this.clientPrincipal = clientPrincipal; this.clientPrincipal = clientPrincipal;
this.scopes = scopes; this.scopes = Collections.unmodifiableSet(new LinkedHashSet<>(scopes));
}
@SuppressWarnings("unchecked")
public OAuth2ClientCredentialsAuthenticationToken(OAuth2ClientAuthenticationToken clientPrincipal) {
this(clientPrincipal, Collections.EMPTY_SET);
}
@Override
public Object getCredentials() {
return "";
} }
@Override @Override
@ -62,6 +66,16 @@ public class OAuth2ClientCredentialsAuthenticationToken extends AbstractAuthenti
return this.clientPrincipal; return this.clientPrincipal;
} }
@Override
public Object getCredentials() {
return "";
}
/**
* Returns the requested scope(s).
*
* @return the requested scope(s), or an empty {@code Set} if not available
*/
public Set<String> getScopes() { public Set<String> getScopes() {
return this.scopes; return this.scopes;
} }

View File

@ -13,13 +13,8 @@
* See the License for the specific language governing permissions and * See the License for the specific language governing permissions and
* limitations under the License. * limitations under the License.
*/ */
package org.springframework.security.oauth2.server.authorization.web; package org.springframework.security.oauth2.server.authorization.web;
import javax.servlet.http.HttpServletRequest;
import java.util.Collections;
import java.util.Map;
import org.springframework.core.convert.converter.Converter; import org.springframework.core.convert.converter.Converter;
import org.springframework.security.core.Authentication; import org.springframework.security.core.Authentication;
import org.springframework.security.oauth2.core.AuthorizationGrantType; import org.springframework.security.oauth2.core.AuthorizationGrantType;
@ -27,31 +22,43 @@ import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
import org.springframework.util.Assert; import org.springframework.util.Assert;
import org.springframework.util.StringUtils; import org.springframework.util.StringUtils;
import javax.servlet.http.HttpServletRequest;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
/** /**
* A {@link Converter} that delegates actual conversion to one of the provided converters based on grant_type param of a request. * A {@link Converter} that selects (and delegates) to one of the internal {@code Map} of {@link Converter}'s
* Returns null is grant type is not specified or not supported. * using the {@link OAuth2ParameterNames#GRANT_TYPE} request parameter.
* *
* @author Alexey Nesterov * @author Alexey Nesterov
* @since 0.0.1 * @since 0.0.1
*/ */
public final class DelegatingAuthorizationGrantAuthenticationConverter implements Converter<HttpServletRequest, Authentication> { public final class DelegatingAuthorizationGrantAuthenticationConverter implements Converter<HttpServletRequest, Authentication> {
private final Map<AuthorizationGrantType, Converter<HttpServletRequest, Authentication>> converters; private final Map<AuthorizationGrantType, Converter<HttpServletRequest, Authentication>> converters;
public DelegatingAuthorizationGrantAuthenticationConverter(Map<AuthorizationGrantType, Converter<HttpServletRequest, Authentication>> converters) { /**
* Constructs a {@code DelegatingAuthorizationGrantAuthenticationConverter} using the provided parameters.
*
* @param converters a {@code Map} of {@link Converter}(s)
*/
public DelegatingAuthorizationGrantAuthenticationConverter(
Map<AuthorizationGrantType, Converter<HttpServletRequest, Authentication>> converters) {
Assert.notEmpty(converters, "converters cannot be empty"); Assert.notEmpty(converters, "converters cannot be empty");
this.converters = Collections.unmodifiableMap(new HashMap<>(converters));
this.converters = Collections.unmodifiableMap(converters);
} }
@Override @Override
public Authentication convert(HttpServletRequest request) { public Authentication convert(HttpServletRequest request) {
Assert.notNull(request, "request cannot be null");
String grantType = request.getParameter(OAuth2ParameterNames.GRANT_TYPE); String grantType = request.getParameter(OAuth2ParameterNames.GRANT_TYPE);
if (StringUtils.isEmpty(grantType)) { if (StringUtils.isEmpty(grantType)) {
return null; return null;
} }
Converter<HttpServletRequest, Authentication> converter = this.converters.get(new AuthorizationGrantType(grantType)); Converter<HttpServletRequest, Authentication> converter =
this.converters.get(new AuthorizationGrantType(grantType));
if (converter == null) { if (converter == null) {
return null; return null;
} }

View File

@ -35,7 +35,6 @@ import org.springframework.security.oauth2.core.http.converter.OAuth2ErrorHttpMe
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService; import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AccessTokenAuthenticationToken; import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AccessTokenAuthenticationToken;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeAuthenticationToken; import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeAuthenticationToken;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationToken;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientCredentialsAuthenticationToken; import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientCredentialsAuthenticationToken;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher;
@ -94,7 +93,6 @@ public class OAuth2TokenEndpointFilter extends OncePerRequestFilter {
private final OAuth2AuthorizationService authorizationService; private final OAuth2AuthorizationService authorizationService;
private final RequestMatcher tokenEndpointMatcher; private final RequestMatcher tokenEndpointMatcher;
private final Converter<HttpServletRequest, Authentication> authorizationGrantAuthenticationConverter; private final Converter<HttpServletRequest, Authentication> authorizationGrantAuthenticationConverter;
private final HttpMessageConverter<OAuth2AccessTokenResponse> accessTokenHttpResponseConverter = private final HttpMessageConverter<OAuth2AccessTokenResponse> accessTokenHttpResponseConverter =
new OAuth2AccessTokenResponseHttpMessageConverter(); new OAuth2AccessTokenResponseHttpMessageConverter();
private final HttpMessageConverter<OAuth2Error> errorHttpResponseConverter = private final HttpMessageConverter<OAuth2Error> errorHttpResponseConverter =
@ -126,7 +124,6 @@ public class OAuth2TokenEndpointFilter extends OncePerRequestFilter {
this.authenticationManager = authenticationManager; this.authenticationManager = authenticationManager;
this.authorizationService = authorizationService; this.authorizationService = authorizationService;
this.tokenEndpointMatcher = new AntPathRequestMatcher(tokenEndpointUri, HttpMethod.POST.name()); this.tokenEndpointMatcher = new AntPathRequestMatcher(tokenEndpointUri, HttpMethod.POST.name());
Map<AuthorizationGrantType, Converter<HttpServletRequest, Authentication>> converters = new HashMap<>(); Map<AuthorizationGrantType, Converter<HttpServletRequest, Authentication>> converters = new HashMap<>();
converters.put(AuthorizationGrantType.AUTHORIZATION_CODE, new AuthorizationCodeAuthenticationConverter()); converters.put(AuthorizationGrantType.AUTHORIZATION_CODE, new AuthorizationCodeAuthenticationConverter());
converters.put(AuthorizationGrantType.CLIENT_CREDENTIALS, new ClientCredentialsAuthenticationConverter()); converters.put(AuthorizationGrantType.CLIENT_CREDENTIALS, new ClientCredentialsAuthenticationConverter());
@ -144,18 +141,19 @@ public class OAuth2TokenEndpointFilter extends OncePerRequestFilter {
try { try {
String[] grantTypes = request.getParameterValues(OAuth2ParameterNames.GRANT_TYPE); String[] grantTypes = request.getParameterValues(OAuth2ParameterNames.GRANT_TYPE);
if (grantTypes == null || grantTypes.length == 0) { if (grantTypes == null || grantTypes.length != 1) {
throwError(OAuth2ErrorCodes.INVALID_REQUEST, "grant_type"); throwError(OAuth2ErrorCodes.INVALID_REQUEST, OAuth2ParameterNames.GRANT_TYPE);
} }
Authentication authorizationGrantAuthentication = this.authorizationGrantAuthenticationConverter.convert(request); Authentication authorizationGrantAuthentication = this.authorizationGrantAuthenticationConverter.convert(request);
if (authorizationGrantAuthentication == null) { if (authorizationGrantAuthentication == null) {
throwError(OAuth2ErrorCodes.UNSUPPORTED_GRANT_TYPE, "grant_type"); throwError(OAuth2ErrorCodes.UNSUPPORTED_GRANT_TYPE, OAuth2ParameterNames.GRANT_TYPE);
} }
OAuth2AccessTokenAuthenticationToken accessTokenAuthentication = OAuth2AccessTokenAuthenticationToken accessTokenAuthentication =
(OAuth2AccessTokenAuthenticationToken) this.authenticationManager.authenticate(authorizationGrantAuthentication); (OAuth2AccessTokenAuthenticationToken) this.authenticationManager.authenticate(authorizationGrantAuthentication);
sendAccessTokenResponse(response, accessTokenAuthentication.getAccessToken()); sendAccessTokenResponse(response, accessTokenAuthentication.getAccessToken());
} catch (OAuth2AuthenticationException ex) { } catch (OAuth2AuthenticationException ex) {
SecurityContextHolder.clearContext(); SecurityContextHolder.clearContext();
sendErrorResponse(response, ex.getError()); sendErrorResponse(response, ex.getError());
@ -191,18 +189,14 @@ public class OAuth2TokenEndpointFilter extends OncePerRequestFilter {
@Override @Override
public Authentication convert(HttpServletRequest request) { public Authentication convert(HttpServletRequest request) {
MultiValueMap<String, String> parameters = OAuth2EndpointUtils.getParameters(request);
// grant_type (REQUIRED) // grant_type (REQUIRED)
String grantType = parameters.getFirst(OAuth2ParameterNames.GRANT_TYPE); String grantType = request.getParameter(OAuth2ParameterNames.GRANT_TYPE);
if (!StringUtils.hasText(grantType) ||
parameters.get(OAuth2ParameterNames.GRANT_TYPE).size() != 1) {
throwError(OAuth2ErrorCodes.INVALID_REQUEST, OAuth2ParameterNames.GRANT_TYPE);
}
if (!AuthorizationGrantType.AUTHORIZATION_CODE.getValue().equals(grantType)) { if (!AuthorizationGrantType.AUTHORIZATION_CODE.getValue().equals(grantType)) {
throwError(OAuth2ErrorCodes.UNSUPPORTED_GRANT_TYPE, OAuth2ParameterNames.GRANT_TYPE); return null;
} }
MultiValueMap<String, String> parameters = OAuth2EndpointUtils.getParameters(request);
// client_id (REQUIRED) // client_id (REQUIRED)
String clientId = parameters.getFirst(OAuth2ParameterNames.CLIENT_ID); String clientId = parameters.getFirst(OAuth2ParameterNames.CLIENT_ID);
Authentication clientPrincipal = null; Authentication clientPrincipal = null;
@ -239,24 +233,29 @@ public class OAuth2TokenEndpointFilter extends OncePerRequestFilter {
@Override @Override
public Authentication convert(HttpServletRequest request) { public Authentication convert(HttpServletRequest request) {
final Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
final OAuth2ClientAuthenticationToken clientAuthenticationToken = (OAuth2ClientAuthenticationToken) authentication;
// grant_type (REQUIRED) // grant_type (REQUIRED)
String grantType = request.getParameter(OAuth2ParameterNames.GRANT_TYPE); String grantType = request.getParameter(OAuth2ParameterNames.GRANT_TYPE);
if (!AuthorizationGrantType.CLIENT_CREDENTIALS.getValue().equals(grantType)) { if (!AuthorizationGrantType.CLIENT_CREDENTIALS.getValue().equals(grantType)) {
throwError(OAuth2ErrorCodes.UNSUPPORTED_GRANT_TYPE, OAuth2ParameterNames.GRANT_TYPE); return null;
} }
Authentication clientPrincipal = SecurityContextHolder.getContext().getAuthentication();
MultiValueMap<String, String> parameters = OAuth2EndpointUtils.getParameters(request);
// scope (OPTIONAL) // scope (OPTIONAL)
// https://tools.ietf.org/html/rfc6749#section-4.4.2 String scope = parameters.getFirst(OAuth2ParameterNames.SCOPE);
String scopeParameter = request.getParameter(OAuth2ParameterNames.SCOPE); if (StringUtils.hasText(scope) &&
if (StringUtils.isEmpty(scopeParameter)) { parameters.get(OAuth2ParameterNames.SCOPE).size() != 1) {
return new OAuth2ClientCredentialsAuthenticationToken(clientAuthenticationToken); throwError(OAuth2ErrorCodes.INVALID_REQUEST, OAuth2ParameterNames.SCOPE);
}
if (StringUtils.hasText(scope)) {
Set<String> requestedScopes = new HashSet<>(
Arrays.asList(StringUtils.delimitedListToStringArray(scope, " ")));
return new OAuth2ClientCredentialsAuthenticationToken(clientPrincipal, requestedScopes);
} }
Set<String> requestedScopes = new HashSet<>(Arrays.asList(StringUtils.delimitedListToStringArray(scopeParameter, " "))); return new OAuth2ClientCredentialsAuthenticationToken(clientPrincipal);
return new OAuth2ClientCredentialsAuthenticationToken(clientAuthenticationToken, requestedScopes);
} }
} }
} }

View File

@ -75,15 +75,6 @@ public class OAuth2AuthorizationTests {
.hasMessage("principalName cannot be empty"); .hasMessage("principalName cannot be empty");
} }
@Test
public void buildWhenAuthorizationCodeNotProvidedThenThrowIllegalArgumentException() {
assertThatThrownBy(() ->
OAuth2Authorization.withRegisteredClient(REGISTERED_CLIENT)
.principalName(PRINCIPAL_NAME).build())
.isInstanceOf(IllegalArgumentException.class)
.hasMessage("authorization code cannot be null");
}
@Test @Test
public void attributeWhenNameNullThenThrowIllegalArgumentException() { public void attributeWhenNameNullThenThrowIllegalArgumentException() {
assertThatThrownBy(() -> assertThatThrownBy(() ->

View File

@ -13,104 +13,130 @@
* See the License for the specific language governing permissions and * See the License for the specific language governing permissions and
* limitations under the License. * limitations under the License.
*/ */
package org.springframework.security.oauth2.server.authorization.authentication; package org.springframework.security.oauth2.server.authorization.authentication;
import java.util.Collections;
import org.junit.Before; import org.junit.Before;
import org.junit.Test; import org.junit.Test;
import org.mockito.ArgumentCaptor;
import org.springframework.security.core.Authentication; import org.springframework.security.authentication.TestingAuthenticationToken;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException; import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClient; import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
import org.springframework.security.oauth2.server.authorization.client.TestRegisteredClients; import org.springframework.security.oauth2.server.authorization.client.TestRegisteredClients;
import java.util.Collections;
import java.util.Set;
import static org.assertj.core.api.Assertions.assertThat; import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatThrownBy; import static org.assertj.core.api.Assertions.assertThatThrownBy;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.verify;
/** /**
* Tests for {@link OAuth2ClientCredentialsAuthenticationProvider}.
*
* @author Alexey Nesterov * @author Alexey Nesterov
* @author Joe Grandja
*/ */
public class OAuth2ClientCredentialsAuthenticationProviderTests { public class OAuth2ClientCredentialsAuthenticationProviderTests {
private RegisteredClient registeredClient;
private static final RegisteredClient EXISTING_CLIENT = TestRegisteredClients.registeredClient().build(); private OAuth2AuthorizationService authorizationService;
private OAuth2ClientCredentialsAuthenticationProvider authenticationProvider; private OAuth2ClientCredentialsAuthenticationProvider authenticationProvider;
@Before @Before
public void setUp() { public void setUp() {
this.authenticationProvider = new OAuth2ClientCredentialsAuthenticationProvider(); this.registeredClient = TestRegisteredClients.registeredClient().build();
this.authorizationService = mock(OAuth2AuthorizationService.class);
this.authenticationProvider = new OAuth2ClientCredentialsAuthenticationProvider(this.authorizationService);
} }
@Test @Test
public void supportsWhenSupportedClassThenTrue() { public void constructorWhenAuthorizationServiceNullThenThrowIllegalArgumentException() {
assertThatThrownBy(() -> new OAuth2ClientCredentialsAuthenticationProvider(null))
.isInstanceOf(IllegalArgumentException.class)
.hasMessage("authorizationService cannot be null");
}
@Test
public void supportsWhenSupportedAuthenticationThenTrue() {
assertThat(this.authenticationProvider.supports(OAuth2ClientCredentialsAuthenticationToken.class)).isTrue(); assertThat(this.authenticationProvider.supports(OAuth2ClientCredentialsAuthenticationToken.class)).isTrue();
} }
@Test @Test
public void supportsWhenUnsupportedClassThenFalse() { public void supportsWhenUnsupportedAuthenticationThenFalse() {
assertThat(this.authenticationProvider.supports(OAuth2AuthorizationCodeAuthenticationProvider.class)).isFalse(); assertThat(this.authenticationProvider.supports(OAuth2AuthorizationCodeAuthenticationToken.class)).isFalse();
} }
@Test @Test
public void authenticateWhenValidAuthenticationThenReturnTokenWithClient() { public void authenticateWhenClientPrincipalNotOAuth2ClientAuthenticationTokenThenThrowOAuth2AuthenticationException() {
Authentication authentication = this.authenticationProvider.authenticate(getAuthentication()); TestingAuthenticationToken clientPrincipal = new TestingAuthenticationToken(
assertThat(authentication).isInstanceOf(OAuth2AccessTokenAuthenticationToken.class); this.registeredClient.getClientId(), this.registeredClient.getClientSecret());
OAuth2ClientCredentialsAuthenticationToken authentication = new OAuth2ClientCredentialsAuthenticationToken(clientPrincipal);
OAuth2AccessTokenAuthenticationToken token = (OAuth2AccessTokenAuthenticationToken) authentication;
assertThat(token.getRegisteredClient()).isEqualTo(EXISTING_CLIENT);
}
@Test
public void authenticateWhenValidAuthenticationThenGenerateTokenValue() {
Authentication authentication = this.authenticationProvider.authenticate(getAuthentication());
OAuth2AccessTokenAuthenticationToken token = (OAuth2AccessTokenAuthenticationToken) authentication;
assertThat(token.getAccessToken().getTokenValue()).isNotBlank();
}
@Test
public void authenticateWhenValidateScopeThenReturnTokenWithScopes() {
Authentication authentication = this.authenticationProvider.authenticate(getAuthentication());
OAuth2AccessTokenAuthenticationToken token = (OAuth2AccessTokenAuthenticationToken) authentication;
assertThat(token.getAccessToken().getScopes()).containsAll(EXISTING_CLIENT.getScopes());
}
@Test
public void authenticateWhenNoScopeRequestedThenUseDefaultScopes() {
OAuth2ClientCredentialsAuthenticationToken authenticationToken = new OAuth2ClientCredentialsAuthenticationToken(new OAuth2ClientAuthenticationToken(EXISTING_CLIENT));
Authentication authentication = this.authenticationProvider.authenticate(authenticationToken);
OAuth2AccessTokenAuthenticationToken token = (OAuth2AccessTokenAuthenticationToken) authentication;
assertThat(token.getAccessToken().getScopes()).containsAll(EXISTING_CLIENT.getScopes());
}
@Test
public void authenticateWhenInvalidSecretThenThrowException() {
OAuth2ClientCredentialsAuthenticationToken authentication = new OAuth2ClientCredentialsAuthenticationToken(
new OAuth2ClientAuthenticationToken(EXISTING_CLIENT.getClientId(), "not-a-valid-secret"));
assertThatThrownBy(() -> this.authenticationProvider.authenticate(authentication)) assertThatThrownBy(() -> this.authenticationProvider.authenticate(authentication))
.isInstanceOf(OAuth2AuthenticationException.class); .isInstanceOf(OAuth2AuthenticationException.class)
.extracting(ex -> ((OAuth2AuthenticationException) ex).getError())
.extracting("errorCode")
.isEqualTo(OAuth2ErrorCodes.INVALID_CLIENT);
} }
@Test @Test
public void authenticateWhenNonExistingClientThenThrowException() { public void authenticateWhenClientPrincipalNotAuthenticatedThenThrowOAuth2AuthenticationException() {
OAuth2ClientCredentialsAuthenticationToken authentication = new OAuth2ClientCredentialsAuthenticationToken( OAuth2ClientAuthenticationToken clientPrincipal = new OAuth2ClientAuthenticationToken(
new OAuth2ClientAuthenticationToken("another-client-id", "another-secret")); this.registeredClient.getClientId(), this.registeredClient.getClientSecret());
OAuth2ClientCredentialsAuthenticationToken authentication = new OAuth2ClientCredentialsAuthenticationToken(clientPrincipal);
assertThatThrownBy(() -> this.authenticationProvider.authenticate(authentication)) assertThatThrownBy(() -> this.authenticationProvider.authenticate(authentication))
.isInstanceOf(OAuth2AuthenticationException.class); .isInstanceOf(OAuth2AuthenticationException.class)
.extracting(ex -> ((OAuth2AuthenticationException) ex).getError())
.extracting("errorCode")
.isEqualTo(OAuth2ErrorCodes.INVALID_CLIENT);
} }
@Test @Test
public void authenticateWhenInvalidScopesThenThrowException() { public void authenticateWhenInvalidScopeThenThrowOAuth2AuthenticationException() {
OAuth2ClientAuthenticationToken clientPrincipal = new OAuth2ClientAuthenticationToken(this.registeredClient);
OAuth2ClientCredentialsAuthenticationToken authentication = new OAuth2ClientCredentialsAuthenticationToken( OAuth2ClientCredentialsAuthenticationToken authentication = new OAuth2ClientCredentialsAuthenticationToken(
new OAuth2ClientAuthenticationToken(EXISTING_CLIENT), Collections.singleton("non-existing-scope")); clientPrincipal, Collections.singleton("invalid-scope"));
assertThatThrownBy(() -> this.authenticationProvider.authenticate(authentication)) assertThatThrownBy(() -> this.authenticationProvider.authenticate(authentication))
.isInstanceOf(OAuth2AuthenticationException.class); .isInstanceOf(OAuth2AuthenticationException.class)
.extracting(ex -> ((OAuth2AuthenticationException) ex).getError())
.extracting("errorCode")
.isEqualTo(OAuth2ErrorCodes.INVALID_SCOPE);
} }
private OAuth2ClientCredentialsAuthenticationToken getAuthentication() { @Test
return new OAuth2ClientCredentialsAuthenticationToken(new OAuth2ClientAuthenticationToken(EXISTING_CLIENT), EXISTING_CLIENT.getScopes()); public void authenticateWhenScopeRequestedThenAccessTokenContainsScope() {
OAuth2ClientAuthenticationToken clientPrincipal = new OAuth2ClientAuthenticationToken(this.registeredClient);
Set<String> requestedScope = Collections.singleton("openid");
OAuth2ClientCredentialsAuthenticationToken authentication =
new OAuth2ClientCredentialsAuthenticationToken(clientPrincipal, requestedScope);
OAuth2AccessTokenAuthenticationToken accessTokenAuthentication =
(OAuth2AccessTokenAuthenticationToken) this.authenticationProvider.authenticate(authentication);
assertThat(accessTokenAuthentication.getAccessToken().getScopes()).isEqualTo(requestedScope);
}
@Test
public void authenticateWhenValidAuthenticationThenReturnAccessToken() {
OAuth2ClientAuthenticationToken clientPrincipal = new OAuth2ClientAuthenticationToken(this.registeredClient);
OAuth2ClientCredentialsAuthenticationToken authentication = new OAuth2ClientCredentialsAuthenticationToken(clientPrincipal);
OAuth2AccessTokenAuthenticationToken accessTokenAuthentication =
(OAuth2AccessTokenAuthenticationToken) this.authenticationProvider.authenticate(authentication);
ArgumentCaptor<OAuth2Authorization> authorizationCaptor = ArgumentCaptor.forClass(OAuth2Authorization.class);
verify(this.authorizationService).save(authorizationCaptor.capture());
OAuth2Authorization authorization = authorizationCaptor.getValue();
assertThat(authorization.getRegisteredClientId()).isEqualTo(clientPrincipal.getRegisteredClient().getId());
assertThat(authorization.getPrincipalName()).isEqualTo(clientPrincipal.getName());
assertThat(authorization.getAccessToken()).isNotNull();
assertThat(authorization.getAccessToken().getScopes()).isEqualTo(clientPrincipal.getRegisteredClient().getScopes());
assertThat(accessTokenAuthentication.getPrincipal()).isEqualTo(clientPrincipal);
assertThat(accessTokenAuthentication.getAccessToken()).isEqualTo(authorization.getAccessToken());
} }
} }

View File

@ -13,24 +13,23 @@
* See the License for the specific language governing permissions and * See the License for the specific language governing permissions and
* limitations under the License. * limitations under the License.
*/ */
package org.springframework.security.oauth2.server.authorization.authentication; package org.springframework.security.oauth2.server.authorization.authentication;
import org.junit.Test;
import org.springframework.security.oauth2.server.authorization.client.TestRegisteredClients;
import java.util.Collections; import java.util.Collections;
import java.util.Set; import java.util.Set;
import org.junit.Test;
import org.springframework.security.oauth2.server.authorization.client.TestRegisteredClients;
import static org.assertj.core.api.Assertions.assertThat; import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatThrownBy; import static org.assertj.core.api.Assertions.assertThatThrownBy;
/** /**
* Tests for {@link OAuth2ClientCredentialsAuthenticationToken}.
*
* @author Alexey Nesterov * @author Alexey Nesterov
*/ */
public class OAuth2ClientCredentialsAuthenticationTokenTests { public class OAuth2ClientCredentialsAuthenticationTokenTests {
private final OAuth2ClientAuthenticationToken clientPrincipal = private final OAuth2ClientAuthenticationToken clientPrincipal =
new OAuth2ClientAuthenticationToken(TestRegisteredClients.registeredClient().build()); new OAuth2ClientAuthenticationToken(TestRegisteredClients.registeredClient().build());
@ -43,15 +42,15 @@ public class OAuth2ClientCredentialsAuthenticationTokenTests {
@Test @Test
public void constructorWhenScopesNullThenThrowIllegalArgumentException() { public void constructorWhenScopesNullThenThrowIllegalArgumentException() {
assertThatThrownBy(() -> new OAuth2ClientCredentialsAuthenticationToken(clientPrincipal, null)) assertThatThrownBy(() -> new OAuth2ClientCredentialsAuthenticationToken(this.clientPrincipal, null))
.isInstanceOf(IllegalArgumentException.class) .isInstanceOf(IllegalArgumentException.class)
.hasMessage("scopes cannot be null"); .hasMessage("scopes cannot be null");
} }
@Test @Test
public void constructorWhenClientPrincipalProvidedThenCreated() { public void constructorWhenClientPrincipalProvidedThenCreated() {
OAuth2ClientCredentialsAuthenticationToken authentication OAuth2ClientCredentialsAuthenticationToken authentication =
= new OAuth2ClientCredentialsAuthenticationToken(clientPrincipal); new OAuth2ClientCredentialsAuthenticationToken(this.clientPrincipal);
assertThat(authentication.getPrincipal()).isEqualTo(this.clientPrincipal); assertThat(authentication.getPrincipal()).isEqualTo(this.clientPrincipal);
assertThat(authentication.getCredentials().toString()).isEmpty(); assertThat(authentication.getCredentials().toString()).isEmpty();
@ -62,12 +61,11 @@ public class OAuth2ClientCredentialsAuthenticationTokenTests {
public void constructorWhenScopesProvidedThenCreated() { public void constructorWhenScopesProvidedThenCreated() {
Set<String> expectedScopes = Collections.singleton("test-scope"); Set<String> expectedScopes = Collections.singleton("test-scope");
OAuth2ClientCredentialsAuthenticationToken authentication OAuth2ClientCredentialsAuthenticationToken authentication =
= new OAuth2ClientCredentialsAuthenticationToken(clientPrincipal, expectedScopes); new OAuth2ClientCredentialsAuthenticationToken(this.clientPrincipal, expectedScopes);
assertThat(authentication.getPrincipal()).isEqualTo(this.clientPrincipal); assertThat(authentication.getPrincipal()).isEqualTo(this.clientPrincipal);
assertThat(authentication.getCredentials().toString()).isEmpty(); assertThat(authentication.getCredentials().toString()).isEmpty();
assertThat(authentication.getScopes()).containsAll(expectedScopes); assertThat(authentication.getScopes()).isEqualTo(expectedScopes);
} }
} }

View File

@ -40,10 +40,13 @@ public class TestRegisteredClients {
.clientId("client-2") .clientId("client-2")
.clientSecret("secret") .clientSecret("secret")
.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE) .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
.authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS)
.clientAuthenticationMethod(ClientAuthenticationMethod.BASIC) .clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
.redirectUri("https://example.com") .redirectUri("https://example.com")
.scope("openid") .scope("openid")
.scope("profile") .scope("profile")
.scope("email"); .scope("email")
.scope("scope1")
.scope("scope2");
} }
} }

View File

@ -13,84 +13,102 @@
* See the License for the specific language governing permissions and * See the License for the specific language governing permissions and
* limitations under the License. * limitations under the License.
*/ */
package org.springframework.security.oauth2.server.authorization.web; package org.springframework.security.oauth2.server.authorization.web;
import javax.servlet.http.HttpServletRequest;
import java.util.Collections;
import java.util.Map;
import org.junit.Before; import org.junit.Before;
import org.junit.Test; import org.junit.Test;
import org.springframework.core.convert.converter.Converter; import org.springframework.core.convert.converter.Converter;
import org.springframework.mock.web.MockHttpServletRequest; import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockServletContext; import org.springframework.mock.web.MockServletContext;
import org.springframework.security.core.Authentication; import org.springframework.security.core.Authentication;
import org.springframework.security.oauth2.core.AuthorizationGrantType; import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationToken; import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationToken;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientCredentialsAuthenticationToken;
import org.springframework.security.oauth2.server.authorization.client.TestRegisteredClients;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders; import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import javax.servlet.http.HttpServletRequest;
import java.util.Collections;
import java.util.Map;
import static org.assertj.core.api.Assertions.assertThat; import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatThrownBy;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.Mockito.mock; import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.verify; import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.verifyNoInteractions; import static org.mockito.Mockito.verifyNoInteractions;
import static org.mockito.Mockito.when; import static org.mockito.Mockito.when;
/** /**
* Tests for {@link DelegatingAuthorizationGrantAuthenticationConverter}.
*
* @author Alexey Nesterov * @author Alexey Nesterov
*/ */
public class DelegatingAuthorizationGrantAuthenticationConverterTests { public class DelegatingAuthorizationGrantAuthenticationConverterTests {
private Converter<HttpServletRequest, Authentication> clientCredentialsAuthenticationConverter;
private DelegatingAuthorizationGrantAuthenticationConverter authenticationConverter; private DelegatingAuthorizationGrantAuthenticationConverter authenticationConverter;
private Converter<HttpServletRequest, Authentication> clientCredentialsConverterMock;
@Before @Before
public void setUp() { public void setUp() {
clientCredentialsConverterMock = mock(Converter.class); this.clientCredentialsAuthenticationConverter = mock(Converter.class);
Map<AuthorizationGrantType, Converter<HttpServletRequest, Authentication>> converters Map<AuthorizationGrantType, Converter<HttpServletRequest, Authentication>> converters =
= Collections.singletonMap(AuthorizationGrantType.CLIENT_CREDENTIALS, clientCredentialsConverterMock); Collections.singletonMap(AuthorizationGrantType.CLIENT_CREDENTIALS, this.clientCredentialsAuthenticationConverter);
authenticationConverter = new DelegatingAuthorizationGrantAuthenticationConverter(converters); this.authenticationConverter = new DelegatingAuthorizationGrantAuthenticationConverter(converters);
} }
@Test @Test
public void convertWhenAuthorizationGrantTypeSupportedThenConverterCalled() { public void constructorWhenConvertersEmptyThenThrowIllegalArgumentException() {
MockHttpServletRequest request = MockMvcRequestBuilders assertThatThrownBy(() -> new DelegatingAuthorizationGrantAuthenticationConverter(Collections.emptyMap()))
.post("/oauth/token") .isInstanceOf(IllegalArgumentException.class)
.param("grant_type", "client_credentials") .hasMessage("converters cannot be empty");
.buildRequest(new MockServletContext());
OAuth2ClientAuthenticationToken expectedAuthentication = new OAuth2ClientAuthenticationToken("id", "secret");
when(clientCredentialsConverterMock.convert(request)).thenReturn(expectedAuthentication);
Authentication actualAuthentication = authenticationConverter.convert(request);
verify(clientCredentialsConverterMock).convert(request);
assertThat(actualAuthentication).isEqualTo(expectedAuthentication);
} }
@Test @Test
public void convertWhenAuthorizationGrantTypeNotSupportedThenNull() { public void convertWhenRequestNullThenThrowIllegalArgumentException() {
MockHttpServletRequest request = MockMvcRequestBuilders assertThatThrownBy(() -> this.authenticationConverter.convert(null))
.post("/oauth/token") .isInstanceOf(IllegalArgumentException.class)
.param("grant_type", "authorization_code") .hasMessage("request cannot be null");
.buildRequest(new MockServletContext());
Authentication actualAuthentication = authenticationConverter.convert(request);
verifyNoInteractions(clientCredentialsConverterMock);
assertThat(actualAuthentication).isNull();
} }
@Test @Test
public void convertWhenNoAuthorizationGrantTypeThenNull() { public void convertWhenGrantTypeMissingThenNull() {
MockHttpServletRequest request = MockMvcRequestBuilders MockHttpServletRequest request = MockMvcRequestBuilders
.post("/oauth/token") .post(OAuth2TokenEndpointFilter.DEFAULT_TOKEN_ENDPOINT_URI)
.buildRequest(new MockServletContext()); .buildRequest(new MockServletContext());
Authentication actualAuthentication = authenticationConverter.convert(request); Authentication authentication = this.authenticationConverter.convert(request);
assertThat(authentication).isNull();
verifyNoInteractions(this.clientCredentialsAuthenticationConverter);
}
verifyNoInteractions(clientCredentialsConverterMock); @Test
assertThat(actualAuthentication).isNull(); public void convertWhenGrantTypeUnsupportedThenNull() {
MockHttpServletRequest request = MockMvcRequestBuilders
.post(OAuth2TokenEndpointFilter.DEFAULT_TOKEN_ENDPOINT_URI)
.param(OAuth2ParameterNames.GRANT_TYPE, "extension_grant_type")
.buildRequest(new MockServletContext());
Authentication authentication = this.authenticationConverter.convert(request);
assertThat(authentication).isNull();
verifyNoInteractions(this.clientCredentialsAuthenticationConverter);
}
@Test
public void convertWhenGrantTypeSupportedThenConverterCalled() {
OAuth2ClientCredentialsAuthenticationToken expectedAuthentication =
new OAuth2ClientCredentialsAuthenticationToken(
new OAuth2ClientAuthenticationToken(
TestRegisteredClients.registeredClient().build()));
when(this.clientCredentialsAuthenticationConverter.convert(any())).thenReturn(expectedAuthentication);
MockHttpServletRequest request = MockMvcRequestBuilders
.post(OAuth2TokenEndpointFilter.DEFAULT_TOKEN_ENDPOINT_URI)
.param(OAuth2ParameterNames.GRANT_TYPE, AuthorizationGrantType.CLIENT_CREDENTIALS.getValue())
.buildRequest(new MockServletContext());
Authentication authentication = this.authenticationConverter.convert(request);
assertThat(authentication).isEqualTo(expectedAuthentication);
verify(this.clientCredentialsAuthenticationConverter).convert(request);
} }
} }

View File

@ -13,42 +13,49 @@
* See the License for the specific language governing permissions and * See the License for the specific language governing permissions and
* limitations under the License. * limitations under the License.
*/ */
package org.springframework.security.oauth2.server.authorization.web; package org.springframework.security.oauth2.server.authorization.web;
import org.junit.Before; import org.junit.Before;
import org.junit.BeforeClass; import org.junit.BeforeClass;
import org.junit.Rule; import org.junit.Rule;
import org.junit.Test; import org.junit.Test;
import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Import; import org.springframework.context.annotation.Import;
import org.springframework.http.HttpHeaders;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.oauth2.server.authorization.OAuth2AuthorizationServerConfiguration; import org.springframework.security.config.annotation.web.configuration.oauth2.server.authorization.OAuth2AuthorizationServerConfiguration;
import org.springframework.security.config.test.SpringTestRule; import org.springframework.security.config.test.SpringTestRule;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService; import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClient; import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository; import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
import org.springframework.security.oauth2.server.authorization.client.TestRegisteredClients; import org.springframework.security.oauth2.server.authorization.client.TestRegisteredClients;
import org.springframework.test.web.servlet.MockMvc; import org.springframework.test.web.servlet.MockMvc;
import static org.hamcrest.CoreMatchers.endsWith; import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.util.Base64;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.ArgumentMatchers.eq;
import static org.mockito.Mockito.mock; import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.reset; import static org.mockito.Mockito.reset;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.verifyNoInteractions;
import static org.mockito.Mockito.when; import static org.mockito.Mockito.when;
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf; import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.httpBasic;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post; import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.header;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath; import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
/** /**
* Integration tests for the OAuth 2.0 Client Credentials Grant.
*
* @author Alexey Nesterov * @author Alexey Nesterov
*/ */
public class OAuth2ClientCredentialsGrantTests { public class OAuth2ClientCredentialsGrantTests {
private static RegisteredClientRepository registeredClientRepository; private static RegisteredClientRepository registeredClientRepository;
private static OAuth2AuthorizationService authorizationService; private static OAuth2AuthorizationService authorizationService;
@ -71,35 +78,46 @@ public class OAuth2ClientCredentialsGrantTests {
} }
@Test @Test
public void requestWhenTokenRequestAuthenticatedThenThenReturnTokenAndScope() throws Exception { public void requestWhenTokenRequestNotAuthenticatedThenUnauthorized() throws Exception {
this.spring.register(AuthorizationServerConfiguration.class).autowire(); this.spring.register(AuthorizationServerConfiguration.class).autowire();
RegisteredClient client = TestRegisteredClients.registeredClient().build();
when(registeredClientRepository.findByClientId(client.getClientId()))
.thenReturn(client);
this.mvc.perform(post(OAuth2TokenEndpointFilter.DEFAULT_TOKEN_ENDPOINT_URI) this.mvc.perform(post(OAuth2TokenEndpointFilter.DEFAULT_TOKEN_ENDPOINT_URI)
.with(httpBasic(client.getClientId(), client.getClientSecret())) .param(OAuth2ParameterNames.GRANT_TYPE, AuthorizationGrantType.CLIENT_CREDENTIALS.getValue())
.with(csrf()) .with(csrf()))
.param("grant_type", "client_credentials") .andExpect(status().isUnauthorized());
.param("scope", "email openid"))
.andExpect(status().isOk()) verifyNoInteractions(registeredClientRepository);
.andExpect(jsonPath("$.access_token").isNotEmpty()) verifyNoInteractions(authorizationService);
.andExpect(jsonPath("$.scope").value("openid email"));
} }
@Test @Test
public void requestWhenTokenRequestNotAuthenticatedThenRedirect() throws Exception { public void requestWhenTokenRequestValidThenTokenResponse() throws Exception {
this.spring.register(AuthorizationServerConfiguration.class).autowire(); this.spring.register(AuthorizationServerConfiguration.class).autowire();
RegisteredClient client = TestRegisteredClients.registeredClient().build();
when(registeredClientRepository.findByClientId(client.getClientId())) RegisteredClient registeredClient = TestRegisteredClients.registeredClient2().build();
.thenReturn(client); when(registeredClientRepository.findByClientId(eq(registeredClient.getClientId())))
.thenReturn(registeredClient);
this.mvc.perform(post(OAuth2TokenEndpointFilter.DEFAULT_TOKEN_ENDPOINT_URI) this.mvc.perform(post(OAuth2TokenEndpointFilter.DEFAULT_TOKEN_ENDPOINT_URI)
.with(csrf()) .param(OAuth2ParameterNames.GRANT_TYPE, AuthorizationGrantType.CLIENT_CREDENTIALS.getValue())
.param("grant_type", "client_credentials") .param(OAuth2ParameterNames.SCOPE, "scope1 scope2")
.param("scope", "email openid")) .header(HttpHeaders.AUTHORIZATION, "Basic " + encodeBasicAuth(
.andExpect(status().isFound()) registeredClient.getClientId(), registeredClient.getClientSecret()))
.andExpect(header().string("Location", endsWith("/login"))); .with(csrf()))
.andExpect(status().isOk())
.andExpect(jsonPath("$.access_token").isNotEmpty())
.andExpect(jsonPath("$.scope").value("scope1 scope2"));
verify(registeredClientRepository).findByClientId(eq(registeredClient.getClientId()));
verify(authorizationService).save(any());
}
private static String encodeBasicAuth(String clientId, String secret) throws Exception {
clientId = URLEncoder.encode(clientId, StandardCharsets.UTF_8.name());
secret = URLEncoder.encode(secret, StandardCharsets.UTF_8.name());
String credentialsString = clientId + ":" + secret;
byte[] encodedBytes = Base64.getEncoder().encode(credentialsString.getBytes(StandardCharsets.UTF_8));
return new String(encodedBytes, StandardCharsets.UTF_8);
} }
@EnableWebSecurity @EnableWebSecurity

View File

@ -19,7 +19,6 @@ import org.junit.After;
import org.junit.Before; import org.junit.Before;
import org.junit.Test; import org.junit.Test;
import org.mockito.ArgumentCaptor; import org.mockito.ArgumentCaptor;
import org.springframework.http.HttpStatus; import org.springframework.http.HttpStatus;
import org.springframework.http.converter.HttpMessageConverter; import org.springframework.http.converter.HttpMessageConverter;
import org.springframework.mock.http.client.MockClientHttpResponse; import org.springframework.mock.http.client.MockClientHttpResponse;
@ -44,17 +43,15 @@ import org.springframework.security.oauth2.server.authorization.authentication.O
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientCredentialsAuthenticationToken; import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientCredentialsAuthenticationToken;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClient; import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
import org.springframework.security.oauth2.server.authorization.client.TestRegisteredClients; import org.springframework.security.oauth2.server.authorization.client.TestRegisteredClients;
import org.springframework.util.StringUtils;
import javax.servlet.FilterChain; import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.time.Duration; import java.time.Duration;
import java.time.Instant; import java.time.Instant;
import java.util.Arrays; import java.util.Arrays;
import java.util.HashSet; import java.util.HashSet;
import java.util.function.Consumer;
import static org.assertj.core.api.Assertions.assertThat; import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatThrownBy; import static org.assertj.core.api.Assertions.assertThatThrownBy;
@ -140,58 +137,77 @@ public class OAuth2TokenEndpointFilterTests {
@Test @Test
public void doFilterWhenTokenRequestMissingGrantTypeThenInvalidRequestError() throws Exception { public void doFilterWhenTokenRequestMissingGrantTypeThenInvalidRequestError() throws Exception {
MockHttpServletRequest request = createAuthorizationCodeTokenRequest(
TestRegisteredClients.registeredClient().build());
request.removeParameter(OAuth2ParameterNames.GRANT_TYPE);
doFilterWhenTokenRequestInvalidParameterThenError( doFilterWhenTokenRequestInvalidParameterThenError(
OAuth2ParameterNames.GRANT_TYPE, OAuth2ErrorCodes.INVALID_REQUEST, OAuth2ParameterNames.GRANT_TYPE, OAuth2ErrorCodes.INVALID_REQUEST, request);
request -> request.removeParameter(OAuth2ParameterNames.GRANT_TYPE));
} }
@Test @Test
public void doFilterWhenTokenRequestMultipleGrantTypeThenInvalidRequestError() throws Exception { public void doFilterWhenTokenRequestMultipleGrantTypeThenInvalidRequestError() throws Exception {
MockHttpServletRequest request = createAuthorizationCodeTokenRequest(
TestRegisteredClients.registeredClient().build());
request.addParameter(OAuth2ParameterNames.GRANT_TYPE, AuthorizationGrantType.AUTHORIZATION_CODE.getValue());
doFilterWhenTokenRequestInvalidParameterThenError( doFilterWhenTokenRequestInvalidParameterThenError(
OAuth2ParameterNames.GRANT_TYPE, OAuth2ErrorCodes.INVALID_REQUEST, OAuth2ParameterNames.GRANT_TYPE, OAuth2ErrorCodes.INVALID_REQUEST, request);
request -> request.addParameter(OAuth2ParameterNames.GRANT_TYPE, AuthorizationGrantType.AUTHORIZATION_CODE.getValue()));
} }
@Test @Test
public void doFilterWhenTokenRequestInvalidGrantTypeThenUnsupportedGrantTypeError() throws Exception { public void doFilterWhenTokenRequestInvalidGrantTypeThenUnsupportedGrantTypeError() throws Exception {
MockHttpServletRequest request = createAuthorizationCodeTokenRequest(
TestRegisteredClients.registeredClient().build());
request.setParameter(OAuth2ParameterNames.GRANT_TYPE, "invalid-grant-type");
doFilterWhenTokenRequestInvalidParameterThenError( doFilterWhenTokenRequestInvalidParameterThenError(
OAuth2ParameterNames.GRANT_TYPE, OAuth2ErrorCodes.UNSUPPORTED_GRANT_TYPE, OAuth2ParameterNames.GRANT_TYPE, OAuth2ErrorCodes.UNSUPPORTED_GRANT_TYPE, request);
request -> request.setParameter(OAuth2ParameterNames.GRANT_TYPE, "invalid-grant-type"));
} }
@Test @Test
public void doFilterWhenTokenRequestMultipleClientIdThenInvalidRequestError() throws Exception { public void doFilterWhenTokenRequestMultipleClientIdThenInvalidRequestError() throws Exception {
MockHttpServletRequest request = createAuthorizationCodeTokenRequest(
TestRegisteredClients.registeredClient().build());
request.addParameter(OAuth2ParameterNames.CLIENT_ID, "client-1");
request.addParameter(OAuth2ParameterNames.CLIENT_ID, "client-2");
doFilterWhenTokenRequestInvalidParameterThenError( doFilterWhenTokenRequestInvalidParameterThenError(
OAuth2ParameterNames.CLIENT_ID, OAuth2ErrorCodes.INVALID_REQUEST, OAuth2ParameterNames.CLIENT_ID, OAuth2ErrorCodes.INVALID_REQUEST, request);
request -> {
request.addParameter(OAuth2ParameterNames.CLIENT_ID, "client-1");
request.addParameter(OAuth2ParameterNames.CLIENT_ID, "client-2");
});
} }
@Test @Test
public void doFilterWhenTokenRequestMissingCodeThenInvalidRequestError() throws Exception { public void doFilterWhenTokenRequestMissingCodeThenInvalidRequestError() throws Exception {
MockHttpServletRequest request = createAuthorizationCodeTokenRequest(
TestRegisteredClients.registeredClient().build());
request.removeParameter(OAuth2ParameterNames.CODE);
doFilterWhenTokenRequestInvalidParameterThenError( doFilterWhenTokenRequestInvalidParameterThenError(
OAuth2ParameterNames.CODE, OAuth2ErrorCodes.INVALID_REQUEST, OAuth2ParameterNames.CODE, OAuth2ErrorCodes.INVALID_REQUEST, request);
request -> request.removeParameter(OAuth2ParameterNames.CODE));
} }
@Test @Test
public void doFilterWhenTokenRequestMultipleCodeThenInvalidRequestError() throws Exception { public void doFilterWhenTokenRequestMultipleCodeThenInvalidRequestError() throws Exception {
MockHttpServletRequest request = createAuthorizationCodeTokenRequest(
TestRegisteredClients.registeredClient().build());
request.addParameter(OAuth2ParameterNames.CODE, "code-2");
doFilterWhenTokenRequestInvalidParameterThenError( doFilterWhenTokenRequestInvalidParameterThenError(
OAuth2ParameterNames.CODE, OAuth2ErrorCodes.INVALID_REQUEST, OAuth2ParameterNames.CODE, OAuth2ErrorCodes.INVALID_REQUEST, request);
request -> request.addParameter(OAuth2ParameterNames.CODE, "code-2"));
} }
@Test @Test
public void doFilterWhenTokenRequestMultipleRedirectUriThenInvalidRequestError() throws Exception { public void doFilterWhenTokenRequestMultipleRedirectUriThenInvalidRequestError() throws Exception {
MockHttpServletRequest request = createAuthorizationCodeTokenRequest(
TestRegisteredClients.registeredClient().build());
request.addParameter(OAuth2ParameterNames.REDIRECT_URI, "https://example2.com");
doFilterWhenTokenRequestInvalidParameterThenError( doFilterWhenTokenRequestInvalidParameterThenError(
OAuth2ParameterNames.REDIRECT_URI, OAuth2ErrorCodes.INVALID_REQUEST, OAuth2ParameterNames.REDIRECT_URI, OAuth2ErrorCodes.INVALID_REQUEST, request);
request -> request.addParameter(OAuth2ParameterNames.REDIRECT_URI, "https://example2.com"));
} }
@Test @Test
public void doFilterWhenTokenRequestValidThenAccessTokenResponse() throws Exception { public void doFilterWhenAuthorizationCodeTokenRequestValidThenAccessTokenResponse() throws Exception {
RegisteredClient registeredClient = TestRegisteredClients.registeredClient().build(); RegisteredClient registeredClient = TestRegisteredClients.registeredClient().build();
Authentication clientPrincipal = new OAuth2ClientAuthenticationToken(registeredClient); Authentication clientPrincipal = new OAuth2ClientAuthenticationToken(registeredClient);
OAuth2AccessToken accessToken = new OAuth2AccessToken( OAuth2AccessToken accessToken = new OAuth2AccessToken(
@ -208,7 +224,7 @@ public class OAuth2TokenEndpointFilterTests {
securityContext.setAuthentication(clientPrincipal); securityContext.setAuthentication(clientPrincipal);
SecurityContextHolder.setContext(securityContext); SecurityContextHolder.setContext(securityContext);
MockHttpServletRequest request = createTokenRequest(registeredClient); MockHttpServletRequest request = createAuthorizationCodeTokenRequest(registeredClient);
MockHttpServletResponse response = new MockHttpServletResponse(); MockHttpServletResponse response = new MockHttpServletResponse();
FilterChain filterChain = mock(FilterChain.class); FilterChain filterChain = mock(FilterChain.class);
@ -242,38 +258,24 @@ public class OAuth2TokenEndpointFilterTests {
} }
@Test @Test
public void doFilterWhenGrantTypeIsClientCredentialsThenAuthenticateWithClientCredentialsToken() throws ServletException, IOException { public void doFilterWhenTokenRequestMultipleScopeThenInvalidRequestError() throws Exception {
RegisteredClient registeredClient = TestRegisteredClients.registeredClient().build(); RegisteredClient registeredClient = TestRegisteredClients.registeredClient2().build();
doFilterForClientCredentialsGrant(registeredClient, null); Authentication clientPrincipal = new OAuth2ClientAuthenticationToken(registeredClient);
ArgumentCaptor<Authentication> captor = ArgumentCaptor.forClass(Authentication.class); SecurityContext securityContext = SecurityContextHolder.createEmptyContext();
verify(this.authenticationManager).authenticate(captor.capture()); securityContext.setAuthentication(clientPrincipal);
SecurityContextHolder.setContext(securityContext);
assertThat(captor.getValue()).isInstanceOf(OAuth2ClientCredentialsAuthenticationToken.class); MockHttpServletRequest request = createClientCredentialsTokenRequest(registeredClient);
OAuth2ClientCredentialsAuthenticationToken clientAuthenticationToken = (OAuth2ClientCredentialsAuthenticationToken) captor.getValue(); request.addParameter(OAuth2ParameterNames.SCOPE, "profile");
assertThat(clientAuthenticationToken.getPrincipal()).isEqualTo(new OAuth2ClientAuthenticationToken(registeredClient)); doFilterWhenTokenRequestInvalidParameterThenError(
OAuth2ParameterNames.SCOPE, OAuth2ErrorCodes.INVALID_REQUEST, request);
} }
@Test @Test
public void doFilterWhenGrantTypeIsClientCredentialsWithScopeThenIncludeScopeInResponse() throws ServletException, IOException { public void doFilterWhenClientCredentialsTokenRequestValidThenAccessTokenResponse() throws Exception {
RegisteredClient registeredClient = TestRegisteredClients.registeredClient().build(); RegisteredClient registeredClient = TestRegisteredClients.registeredClient2().build();
doFilterForClientCredentialsGrant(registeredClient, "openid email");
ArgumentCaptor<Authentication> captor = ArgumentCaptor.forClass(Authentication.class);
verify(this.authenticationManager).authenticate(captor.capture());
assertThat(captor.getValue()).isInstanceOf(OAuth2ClientCredentialsAuthenticationToken.class);
OAuth2ClientCredentialsAuthenticationToken clientAuthenticationToken = (OAuth2ClientCredentialsAuthenticationToken) captor.getValue();
HashSet<String> expectedScopes = new HashSet<>();
expectedScopes.add("openid");
expectedScopes.add("email");
assertThat(clientAuthenticationToken.getScopes()).isEqualTo(expectedScopes);
}
private void doFilterForClientCredentialsGrant(RegisteredClient registeredClient, String scope) throws ServletException, IOException {
Authentication clientPrincipal = new OAuth2ClientAuthenticationToken(registeredClient); Authentication clientPrincipal = new OAuth2ClientAuthenticationToken(registeredClient);
OAuth2AccessToken accessToken = new OAuth2AccessToken( OAuth2AccessToken accessToken = new OAuth2AccessToken(
OAuth2AccessToken.TokenType.BEARER, "token", OAuth2AccessToken.TokenType.BEARER, "token",
@ -282,35 +284,46 @@ public class OAuth2TokenEndpointFilterTests {
OAuth2AccessTokenAuthenticationToken accessTokenAuthentication = OAuth2AccessTokenAuthenticationToken accessTokenAuthentication =
new OAuth2AccessTokenAuthenticationToken( new OAuth2AccessTokenAuthenticationToken(
registeredClient, clientPrincipal, accessToken); registeredClient, clientPrincipal, accessToken);
final String clientId = registeredClient.getClientId();
final String clientSecret = registeredClient.getClientSecret();
MockHttpServletRequest request = new MockHttpServletRequest("POST", OAuth2TokenEndpointFilter.DEFAULT_TOKEN_ENDPOINT_URI);
request.setServletPath(OAuth2TokenEndpointFilter.DEFAULT_TOKEN_ENDPOINT_URI);
request.addParameter("client_id", clientId);
request.addParameter("client_secret", clientSecret);
request.addParameter("grant_type", AuthorizationGrantType.CLIENT_CREDENTIALS.getValue());
if (scope != null) {
request.addParameter("scope", scope);
}
when(this.authenticationManager.authenticate(any())).thenReturn(accessTokenAuthentication); when(this.authenticationManager.authenticate(any())).thenReturn(accessTokenAuthentication);
SecurityContext context = SecurityContextHolder.createEmptyContext(); SecurityContext securityContext = SecurityContextHolder.createEmptyContext();
context.setAuthentication(new OAuth2ClientAuthenticationToken(registeredClient)); securityContext.setAuthentication(clientPrincipal);
SecurityContextHolder.setContext(context); SecurityContextHolder.setContext(securityContext);
MockHttpServletRequest request = createClientCredentialsTokenRequest(registeredClient);
MockHttpServletResponse response = new MockHttpServletResponse(); MockHttpServletResponse response = new MockHttpServletResponse();
filter.doFilter(request, response, mock(FilterChain.class)); FilterChain filterChain = mock(FilterChain.class);
this.filter.doFilter(request, response, filterChain);
verifyNoInteractions(filterChain);
ArgumentCaptor<OAuth2ClientCredentialsAuthenticationToken> clientCredentialsAuthenticationCaptor =
ArgumentCaptor.forClass(OAuth2ClientCredentialsAuthenticationToken.class);
verify(this.authenticationManager).authenticate(clientCredentialsAuthenticationCaptor.capture());
OAuth2ClientCredentialsAuthenticationToken clientCredentialsAuthentication =
clientCredentialsAuthenticationCaptor.getValue();
assertThat(clientCredentialsAuthentication.getPrincipal()).isEqualTo(clientPrincipal);
assertThat(clientCredentialsAuthentication.getScopes()).isEqualTo(registeredClient.getScopes());
assertThat(response.getStatus()).isEqualTo(HttpStatus.OK.value());
OAuth2AccessTokenResponse accessTokenResponse = readAccessTokenResponse(response);
OAuth2AccessToken accessTokenResult = accessTokenResponse.getAccessToken();
assertThat(accessTokenResult.getTokenType()).isEqualTo(accessToken.getTokenType());
assertThat(accessTokenResult.getTokenValue()).isEqualTo(accessToken.getTokenValue());
assertThat(accessTokenResult.getIssuedAt()).isBetween(
accessToken.getIssuedAt().minusSeconds(1), accessToken.getIssuedAt().plusSeconds(1));
assertThat(accessTokenResult.getExpiresAt()).isBetween(
accessToken.getExpiresAt().minusSeconds(1), accessToken.getExpiresAt().plusSeconds(1));
assertThat(accessTokenResult.getScopes()).isEqualTo(accessToken.getScopes());
} }
private void doFilterWhenTokenRequestInvalidParameterThenError(String parameterName, String errorCode, private void doFilterWhenTokenRequestInvalidParameterThenError(String parameterName, String errorCode,
Consumer<MockHttpServletRequest> requestConsumer) throws Exception { MockHttpServletRequest request) throws Exception {
RegisteredClient registeredClient = TestRegisteredClients.registeredClient().build();
MockHttpServletRequest request = createTokenRequest(registeredClient);
requestConsumer.accept(request);
MockHttpServletResponse response = new MockHttpServletResponse(); MockHttpServletResponse response = new MockHttpServletResponse();
FilterChain filterChain = mock(FilterChain.class); FilterChain filterChain = mock(FilterChain.class);
@ -336,7 +349,7 @@ public class OAuth2TokenEndpointFilterTests {
return this.accessTokenHttpResponseConverter.read(OAuth2AccessTokenResponse.class, httpResponse); return this.accessTokenHttpResponseConverter.read(OAuth2AccessTokenResponse.class, httpResponse);
} }
private static MockHttpServletRequest createTokenRequest(RegisteredClient registeredClient) { private static MockHttpServletRequest createAuthorizationCodeTokenRequest(RegisteredClient registeredClient) {
String[] redirectUris = registeredClient.getRedirectUris().toArray(new String[0]); String[] redirectUris = registeredClient.getRedirectUris().toArray(new String[0]);
String requestUri = OAuth2TokenEndpointFilter.DEFAULT_TOKEN_ENDPOINT_URI; String requestUri = OAuth2TokenEndpointFilter.DEFAULT_TOKEN_ENDPOINT_URI;
@ -349,4 +362,16 @@ public class OAuth2TokenEndpointFilterTests {
return request; return request;
} }
private static MockHttpServletRequest createClientCredentialsTokenRequest(RegisteredClient registeredClient) {
String requestUri = OAuth2TokenEndpointFilter.DEFAULT_TOKEN_ENDPOINT_URI;
MockHttpServletRequest request = new MockHttpServletRequest("POST", requestUri);
request.setServletPath(requestUri);
request.addParameter(OAuth2ParameterNames.GRANT_TYPE, AuthorizationGrantType.CLIENT_CREDENTIALS.getValue());
request.addParameter(OAuth2ParameterNames.SCOPE,
StringUtils.collectionToDelimitedString(registeredClient.getScopes(), " "));
return request;
}
} }