From ee1b46b9a627504ed2d0fdaf7308b11fba23fb98 Mon Sep 17 00:00:00 2001 From: Joe Grandja Date: Mon, 8 Feb 2021 21:14:33 -0500 Subject: [PATCH] Remove OAuth2AuthorizationAttributeNames.PRINCIPAL Issue gh-213 --- .../authorization/OAuth2AuthorizationAttributeNames.java | 5 ----- .../OAuth2AuthorizationCodeAuthenticationProvider.java | 5 +++-- .../OAuth2RefreshTokenAuthenticationProvider.java | 3 ++- .../web/OAuth2AuthorizationEndpointFilter.java | 3 ++- .../authorization/OAuth2AuthorizationCodeGrantTests.java | 4 ++-- .../server/authorization/OAuth2RefreshTokenGrantTests.java | 4 ++-- .../configurers/oauth2/server/authorization/OidcTests.java | 4 ++-- .../server/authorization/TestOAuth2Authorizations.java | 3 ++- ...OAuth2AuthorizationCodeAuthenticationProviderTests.java | 7 ++++--- .../OAuth2RefreshTokenAuthenticationProviderTests.java | 3 ++- .../web/OAuth2AuthorizationEndpointFilterTests.java | 7 ++++--- 11 files changed, 25 insertions(+), 23 deletions(-) diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/OAuth2AuthorizationAttributeNames.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/OAuth2AuthorizationAttributeNames.java index 6e3f533..16b647b 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/OAuth2AuthorizationAttributeNames.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/OAuth2AuthorizationAttributeNames.java @@ -38,9 +38,4 @@ public interface OAuth2AuthorizationAttributeNames { */ String AUTHORIZED_SCOPES = OAuth2Authorization.class.getName().concat(".AUTHORIZED_SCOPES"); - /** - * The name of the attribute used for the resource owner {@code Principal}. - */ - String PRINCIPAL = OAuth2Authorization.class.getName().concat(".PRINCIPAL"); - } diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeAuthenticationProvider.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeAuthenticationProvider.java index f83ac86..acc108d 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeAuthenticationProvider.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeAuthenticationProvider.java @@ -15,6 +15,7 @@ */ package org.springframework.security.oauth2.server.authorization.authentication; +import java.security.Principal; import java.util.Collections; import java.util.HashMap; import java.util.Map; @@ -128,7 +129,7 @@ public class OAuth2AuthorizationCodeAuthenticationProvider implements Authentica // @formatter:off JwtEncodingContext context = JwtEncodingContextUtils.accessTokenContext(registeredClient, authorization) - .principal(authorization.getAttribute(OAuth2AuthorizationAttributeNames.PRINCIPAL)) + .principal(authorization.getAttribute(Principal.class.getName())) .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE) .authorizationGrant(authorizationCodeAuthentication) .build(); @@ -153,7 +154,7 @@ public class OAuth2AuthorizationCodeAuthenticationProvider implements Authentica if (authorizationRequest.getScopes().contains(OidcScopes.OPENID)) { // @formatter:off context = JwtEncodingContextUtils.idTokenContext(registeredClient, authorization) - .principal(authorization.getAttribute(OAuth2AuthorizationAttributeNames.PRINCIPAL)) + .principal(authorization.getAttribute(Principal.class.getName())) .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE) .authorizationGrant(authorizationCodeAuthentication) .build(); diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2RefreshTokenAuthenticationProvider.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2RefreshTokenAuthenticationProvider.java index 2c36ac7..675a989 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2RefreshTokenAuthenticationProvider.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2RefreshTokenAuthenticationProvider.java @@ -15,6 +15,7 @@ */ package org.springframework.security.oauth2.server.authorization.authentication; +import java.security.Principal; import java.time.Duration; import java.time.Instant; import java.util.Base64; @@ -139,7 +140,7 @@ public class OAuth2RefreshTokenAuthenticationProvider implements AuthenticationP // @formatter:off JwtEncodingContext context = JwtEncodingContextUtils.accessTokenContext(registeredClient, authorization, scopes) - .principal(authorization.getAttribute(OAuth2AuthorizationAttributeNames.PRINCIPAL)) + .principal(authorization.getAttribute(Principal.class.getName())) .authorizationGrantType(AuthorizationGrantType.REFRESH_TOKEN) .authorizationGrant(refreshTokenAuthentication) .build(); diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilter.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilter.java index 3103820..85471ab 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilter.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilter.java @@ -17,6 +17,7 @@ package org.springframework.security.oauth2.server.authorization.web; import java.io.IOException; import java.nio.charset.StandardCharsets; +import java.security.Principal; import java.time.Instant; import java.time.temporal.ChronoUnit; import java.util.Arrays; @@ -194,7 +195,7 @@ public class OAuth2AuthorizationEndpointFilter extends OncePerRequestFilter { OAuth2Authorization.Builder builder = OAuth2Authorization.withRegisteredClient(registeredClient) .principalName(principal.getName()) .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE) - .attribute(OAuth2AuthorizationAttributeNames.PRINCIPAL, principal) + .attribute(Principal.class.getName(), principal) .attribute(OAuth2AuthorizationAttributeNames.AUTHORIZATION_REQUEST, authorizationRequest); if (registeredClient.getClientSettings().requireUserConsent()) { diff --git a/oauth2-authorization-server/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2AuthorizationCodeGrantTests.java b/oauth2-authorization-server/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2AuthorizationCodeGrantTests.java index 9d44287..9f927c0 100644 --- a/oauth2-authorization-server/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2AuthorizationCodeGrantTests.java +++ b/oauth2-authorization-server/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2AuthorizationCodeGrantTests.java @@ -17,6 +17,7 @@ package org.springframework.security.config.annotation.web.configurers.oauth2.se import java.net.URLEncoder; import java.nio.charset.StandardCharsets; +import java.security.Principal; import java.util.Base64; import java.util.List; import java.util.Set; @@ -57,7 +58,6 @@ import org.springframework.security.oauth2.jwt.JwtEncoder; import org.springframework.security.oauth2.jwt.NimbusJwsEncoder; import org.springframework.security.oauth2.jwt.NimbusJwtDecoder; import org.springframework.security.oauth2.server.authorization.OAuth2Authorization; -import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationAttributeNames; import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService; import org.springframework.security.oauth2.server.authorization.TestOAuth2Authorizations; import org.springframework.security.oauth2.server.authorization.TokenType; @@ -208,7 +208,7 @@ public class OAuth2AuthorizationCodeGrantTests { // Assert user authorities was propagated as claim in JWT Jwt jwt = jwtDecoder.decode(accessTokenResponse.getAccessToken().getTokenValue()); List authoritiesClaim = jwt.getClaim(AUTHORITIES_CLAIM); - Authentication principal = authorization.getAttribute(OAuth2AuthorizationAttributeNames.PRINCIPAL); + Authentication principal = authorization.getAttribute(Principal.class.getName()); Set userAuthorities = principal.getAuthorities().stream() .map(GrantedAuthority::getAuthority) .collect(Collectors.toSet()); diff --git a/oauth2-authorization-server/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2RefreshTokenGrantTests.java b/oauth2-authorization-server/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2RefreshTokenGrantTests.java index fd0f51f..9c20edc 100644 --- a/oauth2-authorization-server/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2RefreshTokenGrantTests.java +++ b/oauth2-authorization-server/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2RefreshTokenGrantTests.java @@ -17,6 +17,7 @@ package org.springframework.security.config.annotation.web.configurers.oauth2.se import java.net.URLEncoder; import java.nio.charset.StandardCharsets; +import java.security.Principal; import java.util.Base64; import java.util.List; import java.util.Set; @@ -52,7 +53,6 @@ import org.springframework.security.oauth2.jose.TestKeys; import org.springframework.security.oauth2.jwt.Jwt; import org.springframework.security.oauth2.jwt.NimbusJwtDecoder; import org.springframework.security.oauth2.server.authorization.OAuth2Authorization; -import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationAttributeNames; import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService; import org.springframework.security.oauth2.server.authorization.TestOAuth2Authorizations; import org.springframework.security.oauth2.server.authorization.TokenType; @@ -159,7 +159,7 @@ public class OAuth2RefreshTokenGrantTests { // Assert user authorities was propagated as claim in JWT Jwt jwt = jwtDecoder.decode(accessTokenResponse.getAccessToken().getTokenValue()); List authoritiesClaim = jwt.getClaim(AUTHORITIES_CLAIM); - Authentication principal = authorization.getAttribute(OAuth2AuthorizationAttributeNames.PRINCIPAL); + Authentication principal = authorization.getAttribute(Principal.class.getName()); Set userAuthorities = principal.getAuthorities().stream() .map(GrantedAuthority::getAuthority) .collect(Collectors.toSet()); diff --git a/oauth2-authorization-server/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OidcTests.java b/oauth2-authorization-server/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OidcTests.java index 1a926b3..d96c2f7 100644 --- a/oauth2-authorization-server/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OidcTests.java +++ b/oauth2-authorization-server/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OidcTests.java @@ -17,6 +17,7 @@ package org.springframework.security.config.annotation.web.configurers.oauth2.se import java.net.URLEncoder; import java.nio.charset.StandardCharsets; +import java.security.Principal; import java.util.Base64; import java.util.List; import java.util.Set; @@ -56,7 +57,6 @@ import org.springframework.security.oauth2.jose.TestKeys; import org.springframework.security.oauth2.jwt.Jwt; import org.springframework.security.oauth2.jwt.NimbusJwtDecoder; import org.springframework.security.oauth2.server.authorization.OAuth2Authorization; -import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationAttributeNames; import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService; import org.springframework.security.oauth2.server.authorization.TokenType; import org.springframework.security.oauth2.server.authorization.client.RegisteredClient; @@ -216,7 +216,7 @@ public class OidcTests { // Assert user authorities was propagated as claim in ID Token Jwt idToken = jwtDecoder.decode((String) accessTokenResponse.getAdditionalParameters().get(OidcParameterNames.ID_TOKEN)); List authoritiesClaim = idToken.getClaim(AUTHORITIES_CLAIM); - Authentication principal = authorization.getAttribute(OAuth2AuthorizationAttributeNames.PRINCIPAL); + Authentication principal = authorization.getAttribute(Principal.class.getName()); Set userAuthorities = principal.getAuthorities().stream() .map(GrantedAuthority::getAuthority) .collect(Collectors.toSet()); diff --git a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/TestOAuth2Authorizations.java b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/TestOAuth2Authorizations.java index e2437f4..3735842 100644 --- a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/TestOAuth2Authorizations.java +++ b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/TestOAuth2Authorizations.java @@ -15,6 +15,7 @@ */ package org.springframework.security.oauth2.server.authorization; +import java.security.Principal; import java.time.Instant; import java.time.temporal.ChronoUnit; import java.util.Collections; @@ -67,7 +68,7 @@ public class TestOAuth2Authorizations { .accessToken(accessToken) .refreshToken(refreshToken) .attribute(OAuth2AuthorizationAttributeNames.AUTHORIZATION_REQUEST, authorizationRequest) - .attribute(OAuth2AuthorizationAttributeNames.PRINCIPAL, + .attribute(Principal.class.getName(), new TestingAuthenticationToken("principal", null, "ROLE_A", "ROLE_B")) .attribute(OAuth2AuthorizationAttributeNames.AUTHORIZED_SCOPES, authorizationRequest.getScopes()); } diff --git a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeAuthenticationProviderTests.java b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeAuthenticationProviderTests.java index 258e97e..dbab7d0 100644 --- a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeAuthenticationProviderTests.java +++ b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeAuthenticationProviderTests.java @@ -15,6 +15,7 @@ */ package org.springframework.security.oauth2.server.authorization.authentication; +import java.security.Principal; import java.time.Duration; import java.time.Instant; import java.time.temporal.ChronoUnit; @@ -240,7 +241,7 @@ public class OAuth2AuthorizationCodeAuthenticationProviderTests { verify(this.jwtCustomizer).customize(jwtEncodingContextCaptor.capture()); JwtEncodingContext jwtEncodingContext = jwtEncodingContextCaptor.getValue(); assertThat(jwtEncodingContext.getRegisteredClient()).isEqualTo(registeredClient); - assertThat(jwtEncodingContext.getPrincipal()).isEqualTo(authorization.getAttribute(OAuth2AuthorizationAttributeNames.PRINCIPAL)); + assertThat(jwtEncodingContext.getPrincipal()).isEqualTo(authorization.getAttribute(Principal.class.getName())); assertThat(jwtEncodingContext.getAuthorization()).isEqualTo(authorization); assertThat(jwtEncodingContext.getTokenType()).isEqualTo(TokenType.ACCESS_TOKEN); assertThat(jwtEncodingContext.getAuthorizationGrantType()).isEqualTo(AuthorizationGrantType.AUTHORIZATION_CODE); @@ -292,7 +293,7 @@ public class OAuth2AuthorizationCodeAuthenticationProviderTests { // Access Token context JwtEncodingContext accessTokenContext = jwtEncodingContextCaptor.getAllValues().get(0); assertThat(accessTokenContext.getRegisteredClient()).isEqualTo(registeredClient); - assertThat(accessTokenContext.getPrincipal()).isEqualTo(authorization.getAttribute(OAuth2AuthorizationAttributeNames.PRINCIPAL)); + assertThat(accessTokenContext.getPrincipal()).isEqualTo(authorization.getAttribute(Principal.class.getName())); assertThat(accessTokenContext.getAuthorization()).isEqualTo(authorization); assertThat(accessTokenContext.getTokenType()).isEqualTo(TokenType.ACCESS_TOKEN); assertThat(accessTokenContext.getAuthorizationGrantType()).isEqualTo(AuthorizationGrantType.AUTHORIZATION_CODE); @@ -302,7 +303,7 @@ public class OAuth2AuthorizationCodeAuthenticationProviderTests { // ID Token context JwtEncodingContext idTokenContext = jwtEncodingContextCaptor.getAllValues().get(1); assertThat(idTokenContext.getRegisteredClient()).isEqualTo(registeredClient); - assertThat(idTokenContext.getPrincipal()).isEqualTo(authorization.getAttribute(OAuth2AuthorizationAttributeNames.PRINCIPAL)); + assertThat(idTokenContext.getPrincipal()).isEqualTo(authorization.getAttribute(Principal.class.getName())); assertThat(idTokenContext.getAuthorization()).isEqualTo(authorization); assertThat(idTokenContext.getTokenType().getValue()).isEqualTo(OidcParameterNames.ID_TOKEN); assertThat(idTokenContext.getAuthorizationGrantType()).isEqualTo(AuthorizationGrantType.AUTHORIZATION_CODE); diff --git a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2RefreshTokenAuthenticationProviderTests.java b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2RefreshTokenAuthenticationProviderTests.java index 40cd9e3..5f1b799 100644 --- a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2RefreshTokenAuthenticationProviderTests.java +++ b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2RefreshTokenAuthenticationProviderTests.java @@ -15,6 +15,7 @@ */ package org.springframework.security.oauth2.server.authorization.authentication; +import java.security.Principal; import java.time.Instant; import java.time.temporal.ChronoUnit; import java.util.Collections; @@ -133,7 +134,7 @@ public class OAuth2RefreshTokenAuthenticationProviderTests { verify(this.jwtCustomizer).customize(jwtEncodingContextCaptor.capture()); JwtEncodingContext jwtEncodingContext = jwtEncodingContextCaptor.getValue(); assertThat(jwtEncodingContext.getRegisteredClient()).isEqualTo(registeredClient); - assertThat(jwtEncodingContext.getPrincipal()).isEqualTo(authorization.getAttribute(OAuth2AuthorizationAttributeNames.PRINCIPAL)); + assertThat(jwtEncodingContext.getPrincipal()).isEqualTo(authorization.getAttribute(Principal.class.getName())); assertThat(jwtEncodingContext.getAuthorization()).isEqualTo(authorization); assertThat(jwtEncodingContext.getTokenType()).isEqualTo(TokenType.ACCESS_TOKEN); assertThat(jwtEncodingContext.getAuthorizationGrantType()).isEqualTo(AuthorizationGrantType.REFRESH_TOKEN); diff --git a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilterTests.java b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilterTests.java index 211b4d8..5efbc16 100644 --- a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilterTests.java +++ b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilterTests.java @@ -16,6 +16,7 @@ package org.springframework.security.oauth2.server.authorization.web; import java.nio.charset.StandardCharsets; +import java.security.Principal; import java.util.Set; import java.util.function.Consumer; @@ -468,7 +469,7 @@ public class OAuth2AuthorizationEndpointFilterTests { assertThat(authorization.getRegisteredClientId()).isEqualTo(registeredClient.getId()); assertThat(authorization.getPrincipalName()).isEqualTo(this.authentication.getPrincipal().toString()); assertThat(authorization.getAuthorizationGrantType()).isEqualTo(AuthorizationGrantType.AUTHORIZATION_CODE); - assertThat(authorization.getAttribute(OAuth2AuthorizationAttributeNames.PRINCIPAL)) + assertThat(authorization.getAttribute(Principal.class.getName())) .isEqualTo(this.authentication); OAuth2Authorization.Token authorizationCode = authorization.getToken(OAuth2AuthorizationCode.class); @@ -518,7 +519,7 @@ public class OAuth2AuthorizationEndpointFilterTests { assertThat(authorization.getRegisteredClientId()).isEqualTo(registeredClient.getId()); assertThat(authorization.getPrincipalName()).isEqualTo(this.authentication.getPrincipal().toString()); assertThat(authorization.getAuthorizationGrantType()).isEqualTo(AuthorizationGrantType.AUTHORIZATION_CODE); - assertThat(authorization.getAttribute(OAuth2AuthorizationAttributeNames.PRINCIPAL)) + assertThat(authorization.getAttribute(Principal.class.getName())) .isEqualTo(this.authentication); OAuth2Authorization.Token authorizationCode = authorization.getToken(OAuth2AuthorizationCode.class); @@ -566,7 +567,7 @@ public class OAuth2AuthorizationEndpointFilterTests { assertThat(authorization.getRegisteredClientId()).isEqualTo(registeredClient.getId()); assertThat(authorization.getPrincipalName()).isEqualTo(this.authentication.getPrincipal().toString()); assertThat(authorization.getAuthorizationGrantType()).isEqualTo(AuthorizationGrantType.AUTHORIZATION_CODE); - assertThat(authorization.getAttribute(OAuth2AuthorizationAttributeNames.PRINCIPAL)) + assertThat(authorization.getAttribute(Principal.class.getName())) .isEqualTo(this.authentication); String state = authorization.getAttribute(OAuth2ParameterNames.STATE);