Remove OAuth2AuthorizationAttributeNames.ACCESS_TOKEN_ATTRIBUTES

Issue gh-213
This commit is contained in:
Joe Grandja 2021-02-08 20:33:17 -05:00
parent 7261b40cd5
commit fd9df9e2e7
5 changed files with 56 additions and 25 deletions

View File

@ -221,6 +221,11 @@ public class OAuth2Authorization implements Serializable {
*/ */
public static final String INVALIDATED_METADATA_NAME = TOKEN_METADATA_BASE.concat("invalidated"); public static final String INVALIDATED_METADATA_NAME = TOKEN_METADATA_BASE.concat("invalidated");
/**
* The name of the metadata used for the claims of the token.
*/
public static final String CLAIMS_METADATA_NAME = TOKEN_METADATA_BASE.concat("claims");
private final T token; private final T token;
private final Map<String, Object> metadata; private final Map<String, Object> metadata;
@ -252,6 +257,16 @@ public class OAuth2Authorization implements Serializable {
return Boolean.TRUE.equals(getMetadata(INVALIDATED_METADATA_NAME)); return Boolean.TRUE.equals(getMetadata(INVALIDATED_METADATA_NAME));
} }
/**
* Returns the claims associated to the token.
*
* @return a {@code Map} of the claims, or {@code null} if not available
*/
@Nullable
public Map<String, Object> getClaims() {
return getMetadata(CLAIMS_METADATA_NAME);
}
/** /**
* Returns the value of the metadata associated to the token. * Returns the value of the metadata associated to the token.
* *

View File

@ -16,7 +16,6 @@
package org.springframework.security.oauth2.server.authorization; package org.springframework.security.oauth2.server.authorization;
import org.springframework.security.oauth2.core.OAuth2AccessToken;
import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest; import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
/** /**
@ -44,11 +43,6 @@ public interface OAuth2AuthorizationAttributeNames {
*/ */
String AUTHORIZED_SCOPES = OAuth2Authorization.class.getName().concat(".AUTHORIZED_SCOPES"); String AUTHORIZED_SCOPES = OAuth2Authorization.class.getName().concat(".AUTHORIZED_SCOPES");
/**
* The name of the attribute used for the attributes/claims of the {@link OAuth2AccessToken}.
*/
String ACCESS_TOKEN_ATTRIBUTES = OAuth2Authorization.class.getName().concat(".ACCESS_TOKEN_ATTRIBUTES");
/** /**
* The name of the attribute used for the resource owner {@code Principal}. * The name of the attribute used for the resource owner {@code Principal}.
*/ */

View File

@ -137,10 +137,11 @@ public class OAuth2AuthorizationCodeAuthenticationProvider implements Authentica
JoseHeader headers = context.getHeaders().build(); JoseHeader headers = context.getHeaders().build();
JwtClaimsSet claims = context.getClaims().build(); JwtClaimsSet claims = context.getClaims().build();
Jwt jwt = this.jwtEncoder.encode(headers, claims); Jwt jwtAccessToken = this.jwtEncoder.encode(headers, claims);
OAuth2AccessToken accessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER, OAuth2AccessToken accessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER,
jwt.getTokenValue(), jwt.getIssuedAt(), jwt.getExpiresAt(), jwt.getClaim(OAuth2ParameterNames.SCOPE)); jwtAccessToken.getTokenValue(), jwtAccessToken.getIssuedAt(),
jwtAccessToken.getExpiresAt(), jwtAccessToken.getClaim(OAuth2ParameterNames.SCOPE));
OAuth2RefreshToken refreshToken = null; OAuth2RefreshToken refreshToken = null;
if (registeredClient.getAuthorizationGrantTypes().contains(AuthorizationGrantType.REFRESH_TOKEN)) { if (registeredClient.getAuthorizationGrantTypes().contains(AuthorizationGrantType.REFRESH_TOKEN)) {
@ -148,7 +149,7 @@ public class OAuth2AuthorizationCodeAuthenticationProvider implements Authentica
registeredClient.getTokenSettings().refreshTokenTimeToLive()); registeredClient.getTokenSettings().refreshTokenTimeToLive());
} }
OidcIdToken idToken = null; Jwt jwtIdToken = null;
if (authorizationRequest.getScopes().contains(OidcScopes.OPENID)) { if (authorizationRequest.getScopes().contains(OidcScopes.OPENID)) {
// @formatter:off // @formatter:off
context = JwtEncodingContextUtils.idTokenContext(registeredClient, authorization) context = JwtEncodingContextUtils.idTokenContext(registeredClient, authorization)
@ -161,22 +162,34 @@ public class OAuth2AuthorizationCodeAuthenticationProvider implements Authentica
headers = context.getHeaders().build(); headers = context.getHeaders().build();
claims = context.getClaims().build(); claims = context.getClaims().build();
Jwt jwtIdToken = this.jwtEncoder.encode(headers, claims); jwtIdToken = this.jwtEncoder.encode(headers, claims);
idToken = new OidcIdToken(jwtIdToken.getTokenValue(), jwtIdToken.getIssuedAt(),
jwtIdToken.getExpiresAt(), jwtIdToken.getClaims());
} }
OidcIdToken idToken;
if (jwtIdToken != null) {
idToken = new OidcIdToken(jwtIdToken.getTokenValue(), jwtIdToken.getIssuedAt(),
jwtIdToken.getExpiresAt(), jwtIdToken.getClaims());
} else {
idToken = null;
}
// @formatter:off
OAuth2Authorization.Builder authorizationBuilder = OAuth2Authorization.from(authorization) OAuth2Authorization.Builder authorizationBuilder = OAuth2Authorization.from(authorization)
.accessToken(accessToken) .token(accessToken,
.attribute(OAuth2AuthorizationAttributeNames.ACCESS_TOKEN_ATTRIBUTES, jwt); (metadata) ->
metadata.put(OAuth2Authorization.Token.CLAIMS_METADATA_NAME, jwtAccessToken.getClaims())
);
if (refreshToken != null) { if (refreshToken != null) {
authorizationBuilder.refreshToken(refreshToken); authorizationBuilder.refreshToken(refreshToken);
} }
if (idToken != null) { if (idToken != null) {
authorizationBuilder.token(idToken); authorizationBuilder
.token(idToken,
(metadata) ->
metadata.put(OAuth2Authorization.Token.CLAIMS_METADATA_NAME, idToken.getClaims()));
} }
authorization = authorizationBuilder.build(); authorization = authorizationBuilder.build();
// @formatter:on
// Invalidate the authorization code as it can only be used once // Invalidate the authorization code as it can only be used once
authorization = OAuth2AuthenticationProviderUtils.invalidate(authorization, authorizationCode.getToken()); authorization = OAuth2AuthenticationProviderUtils.invalidate(authorization, authorizationCode.getToken());

View File

@ -33,7 +33,6 @@ import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtClaimsSet; import org.springframework.security.oauth2.jwt.JwtClaimsSet;
import org.springframework.security.oauth2.jwt.JwtEncoder; import org.springframework.security.oauth2.jwt.JwtEncoder;
import org.springframework.security.oauth2.server.authorization.OAuth2Authorization; import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationAttributeNames;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService; import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClient; import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
import org.springframework.security.oauth2.server.authorization.token.JwtEncodingContext; import org.springframework.security.oauth2.server.authorization.token.JwtEncodingContext;
@ -117,17 +116,22 @@ public class OAuth2ClientCredentialsAuthenticationProvider implements Authentica
JoseHeader headers = context.getHeaders().build(); JoseHeader headers = context.getHeaders().build();
JwtClaimsSet claims = context.getClaims().build(); JwtClaimsSet claims = context.getClaims().build();
Jwt jwt = this.jwtEncoder.encode(headers, claims); Jwt jwtAccessToken = this.jwtEncoder.encode(headers, claims);
OAuth2AccessToken accessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER, OAuth2AccessToken accessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER,
jwt.getTokenValue(), jwt.getIssuedAt(), jwt.getExpiresAt(), jwt.getClaim(OAuth2ParameterNames.SCOPE)); jwtAccessToken.getTokenValue(), jwtAccessToken.getIssuedAt(),
jwtAccessToken.getExpiresAt(), jwtAccessToken.getClaim(OAuth2ParameterNames.SCOPE));
// @formatter:off
OAuth2Authorization authorization = OAuth2Authorization.withRegisteredClient(registeredClient) OAuth2Authorization authorization = OAuth2Authorization.withRegisteredClient(registeredClient)
.principalName(clientPrincipal.getName()) .principalName(clientPrincipal.getName())
.authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS) .authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS)
.token(accessToken) .token(accessToken,
.attribute(OAuth2AuthorizationAttributeNames.ACCESS_TOKEN_ATTRIBUTES, jwt) (metadata) ->
metadata.put(OAuth2Authorization.Token.CLAIMS_METADATA_NAME, jwtAccessToken.getClaims()))
.build(); .build();
// @formatter:on
this.authorizationService.save(authorization); this.authorizationService.save(authorization);
return new OAuth2AccessTokenAuthenticationToken(registeredClient, clientPrincipal, accessToken); return new OAuth2AccessTokenAuthenticationToken(registeredClient, clientPrincipal, accessToken);

View File

@ -148,10 +148,11 @@ public class OAuth2RefreshTokenAuthenticationProvider implements AuthenticationP
JoseHeader headers = context.getHeaders().build(); JoseHeader headers = context.getHeaders().build();
JwtClaimsSet claims = context.getClaims().build(); JwtClaimsSet claims = context.getClaims().build();
Jwt jwt = this.jwtEncoder.encode(headers, claims); Jwt jwtAccessToken = this.jwtEncoder.encode(headers, claims);
OAuth2AccessToken accessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER, OAuth2AccessToken accessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER,
jwt.getTokenValue(), jwt.getIssuedAt(), jwt.getExpiresAt(), jwt.getClaim(OAuth2ParameterNames.SCOPE)); jwtAccessToken.getTokenValue(), jwtAccessToken.getIssuedAt(),
jwtAccessToken.getExpiresAt(), jwtAccessToken.getClaim(OAuth2ParameterNames.SCOPE));
TokenSettings tokenSettings = registeredClient.getTokenSettings(); TokenSettings tokenSettings = registeredClient.getTokenSettings();
@ -160,11 +161,15 @@ public class OAuth2RefreshTokenAuthenticationProvider implements AuthenticationP
currentRefreshToken = generateRefreshToken(tokenSettings.refreshTokenTimeToLive()); currentRefreshToken = generateRefreshToken(tokenSettings.refreshTokenTimeToLive());
} }
// @formatter:off
authorization = OAuth2Authorization.from(authorization) authorization = OAuth2Authorization.from(authorization)
.accessToken(accessToken) .token(accessToken,
(metadata) ->
metadata.put(OAuth2Authorization.Token.CLAIMS_METADATA_NAME, jwtAccessToken.getClaims()))
.refreshToken(currentRefreshToken) .refreshToken(currentRefreshToken)
.attribute(OAuth2AuthorizationAttributeNames.ACCESS_TOKEN_ATTRIBUTES, jwt)
.build(); .build();
// @formatter:on
this.authorizationService.save(authorization); this.authorizationService.save(authorization);
return new OAuth2AccessTokenAuthenticationToken( return new OAuth2AccessTokenAuthenticationToken(