Use OAuth2ParameterNames.TOKEN

Issue gh-83
This commit is contained in:
Joe Grandja 2020-11-03 20:50:01 -05:00
parent df8793c902
commit ebcdf7989d
3 changed files with 19 additions and 22 deletions

View File

@ -26,6 +26,7 @@ import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
import org.springframework.security.oauth2.core.http.converter.OAuth2ErrorHttpMessageConverter;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2TokenRevocationAuthenticationProvider;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2TokenRevocationAuthenticationToken;
@ -53,9 +54,6 @@ import java.io.IOException;
* @since 0.0.3
*/
public class OAuth2TokenRevocationEndpointFilter extends OncePerRequestFilter {
static final String TOKEN_PARAM_NAME = "token";
static final String TOKEN_TYPE_HINT_PARAM_NAME = "token_type_hint";
/**
* The default endpoint {@code URI} for token revocation requests.
*/
@ -133,17 +131,17 @@ public class OAuth2TokenRevocationEndpointFilter extends OncePerRequestFilter {
MultiValueMap<String, String> parameters = OAuth2EndpointUtils.getParameters(request);
// token (REQUIRED)
String token = parameters.getFirst(TOKEN_PARAM_NAME);
String token = parameters.getFirst(OAuth2ParameterNames.TOKEN);
if (!StringUtils.hasText(token) ||
parameters.get(TOKEN_PARAM_NAME).size() != 1) {
throwError(OAuth2ErrorCodes.INVALID_REQUEST, TOKEN_PARAM_NAME);
parameters.get(OAuth2ParameterNames.TOKEN).size() != 1) {
throwError(OAuth2ErrorCodes.INVALID_REQUEST, OAuth2ParameterNames.TOKEN);
}
// token_type_hint (OPTIONAL)
String tokenTypeHint = parameters.getFirst(TOKEN_TYPE_HINT_PARAM_NAME);
String tokenTypeHint = parameters.getFirst(OAuth2ParameterNames.TOKEN_TYPE_HINT);
if (StringUtils.hasText(tokenTypeHint) &&
parameters.get(TOKEN_TYPE_HINT_PARAM_NAME).size() != 1) {
throwError(OAuth2ErrorCodes.INVALID_REQUEST, TOKEN_TYPE_HINT_PARAM_NAME);
parameters.get(OAuth2ParameterNames.TOKEN_TYPE_HINT).size() != 1) {
throwError(OAuth2ErrorCodes.INVALID_REQUEST, OAuth2ParameterNames.TOKEN_TYPE_HINT);
}
return new OAuth2TokenRevocationAuthenticationToken(token, clientPrincipal, tokenTypeHint);

View File

@ -32,6 +32,7 @@ import org.springframework.security.crypto.keys.StaticKeyGeneratingKeyManager;
import org.springframework.security.oauth2.core.AbstractOAuth2Token;
import org.springframework.security.oauth2.core.OAuth2AccessToken;
import org.springframework.security.oauth2.core.OAuth2RefreshToken;
import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
import org.springframework.security.oauth2.server.authorization.TestOAuth2Authorizations;
@ -152,9 +153,8 @@ public class OAuth2TokenRevocationTests {
private static MultiValueMap<String, String> getTokenRevocationRequestParameters(AbstractOAuth2Token token, TokenType tokenType) {
MultiValueMap<String, String> parameters = new LinkedMultiValueMap<>();
// TODO Use OAuth2ParameterNames
parameters.set("token", token.getTokenValue());
parameters.set("token_type_hint", tokenType.getValue());
parameters.set(OAuth2ParameterNames.TOKEN, token.getTokenValue());
parameters.set(OAuth2ParameterNames.TOKEN_TYPE_HINT, tokenType.getValue());
return parameters;
}

View File

@ -30,6 +30,7 @@ import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.oauth2.core.OAuth2AccessToken;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
import org.springframework.security.oauth2.core.http.converter.OAuth2ErrorHttpMessageConverter;
import org.springframework.security.oauth2.server.authorization.TokenType;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationToken;
@ -53,8 +54,6 @@ import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.verifyNoInteractions;
import static org.mockito.Mockito.when;
import static org.springframework.security.oauth2.server.authorization.web.OAuth2TokenRevocationEndpointFilter.TOKEN_PARAM_NAME;
import static org.springframework.security.oauth2.server.authorization.web.OAuth2TokenRevocationEndpointFilter.TOKEN_TYPE_HINT_PARAM_NAME;
/**
* Tests for {@link OAuth2TokenRevocationEndpointFilter}.
@ -122,25 +121,25 @@ public class OAuth2TokenRevocationEndpointFilterTests {
@Test
public void doFilterWhenTokenRevocationRequestMissingTokenThenInvalidRequestError() throws Exception {
doFilterWhenTokenRevocationRequestInvalidParameterThenError(
TOKEN_PARAM_NAME,
OAuth2ParameterNames.TOKEN,
OAuth2ErrorCodes.INVALID_REQUEST,
request -> request.removeParameter(TOKEN_PARAM_NAME));
request -> request.removeParameter(OAuth2ParameterNames.TOKEN));
}
@Test
public void doFilterWhenTokenRevocationRequestMultipleTokenThenInvalidRequestError() throws Exception {
doFilterWhenTokenRevocationRequestInvalidParameterThenError(
TOKEN_PARAM_NAME,
OAuth2ParameterNames.TOKEN,
OAuth2ErrorCodes.INVALID_REQUEST,
request -> request.addParameter(TOKEN_PARAM_NAME, "token-2"));
request -> request.addParameter(OAuth2ParameterNames.TOKEN, "token-2"));
}
@Test
public void doFilterWhenTokenRevocationRequestMultipleTokenTypeHintThenInvalidRequestError() throws Exception {
doFilterWhenTokenRevocationRequestInvalidParameterThenError(
TOKEN_TYPE_HINT_PARAM_NAME,
OAuth2ParameterNames.TOKEN_TYPE_HINT,
OAuth2ErrorCodes.INVALID_REQUEST,
request -> request.addParameter(TOKEN_TYPE_HINT_PARAM_NAME, TokenType.ACCESS_TOKEN.getValue()));
request -> request.addParameter(OAuth2ParameterNames.TOKEN_TYPE_HINT, TokenType.ACCESS_TOKEN.getValue()));
}
@Test
@ -202,8 +201,8 @@ public class OAuth2TokenRevocationEndpointFilterTests {
MockHttpServletRequest request = new MockHttpServletRequest("POST", requestUri);
request.setServletPath(requestUri);
request.addParameter(TOKEN_PARAM_NAME, "token");
request.addParameter(TOKEN_TYPE_HINT_PARAM_NAME, TokenType.ACCESS_TOKEN.getValue());
request.addParameter(OAuth2ParameterNames.TOKEN, "token");
request.addParameter(OAuth2ParameterNames.TOKEN_TYPE_HINT, TokenType.ACCESS_TOKEN.getValue());
return request;
}