Remove OAuth2AuthorizationAttributeNames.ACCESS_TOKEN_ATTRIBUTES
Issue gh-213
This commit is contained in:
Joe Grandja
parent
7261b40cd5
commit
fd9df9e2e7
@ -221,6 +221,11 @@ public class OAuth2Authorization implements Serializable {
|
|||||||
*/
|
*/
|
||||||
public static final String INVALIDATED_METADATA_NAME = TOKEN_METADATA_BASE.concat("invalidated");
|
public static final String INVALIDATED_METADATA_NAME = TOKEN_METADATA_BASE.concat("invalidated");
|
||||||
|
|
||||||
|
/**
|
||||||
|
* The name of the metadata used for the claims of the token.
|
||||||
|
*/
|
||||||
|
public static final String CLAIMS_METADATA_NAME = TOKEN_METADATA_BASE.concat("claims");
|
||||||
|
|
||||||
private final T token;
|
private final T token;
|
||||||
private final Map<String, Object> metadata;
|
private final Map<String, Object> metadata;
|
||||||
|
|
||||||
@ -252,6 +257,16 @@ public class OAuth2Authorization implements Serializable {
|
|||||||
return Boolean.TRUE.equals(getMetadata(INVALIDATED_METADATA_NAME));
|
return Boolean.TRUE.equals(getMetadata(INVALIDATED_METADATA_NAME));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Returns the claims associated to the token.
|
||||||
|
*
|
||||||
|
* @return a {@code Map} of the claims, or {@code null} if not available
|
||||||
|
*/
|
||||||
|
@Nullable
|
||||||
|
public Map<String, Object> getClaims() {
|
||||||
|
return getMetadata(CLAIMS_METADATA_NAME);
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Returns the value of the metadata associated to the token.
|
* Returns the value of the metadata associated to the token.
|
||||||
*
|
*
|
||||||
|
|||||||
@ -16,7 +16,6 @@
|
|||||||
package org.springframework.security.oauth2.server.authorization;
|
package org.springframework.security.oauth2.server.authorization;
|
||||||
|
|
||||||
|
|
||||||
import org.springframework.security.oauth2.core.OAuth2AccessToken;
|
|
||||||
import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
|
import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -44,11 +43,6 @@ public interface OAuth2AuthorizationAttributeNames {
|
|||||||
*/
|
*/
|
||||||
String AUTHORIZED_SCOPES = OAuth2Authorization.class.getName().concat(".AUTHORIZED_SCOPES");
|
String AUTHORIZED_SCOPES = OAuth2Authorization.class.getName().concat(".AUTHORIZED_SCOPES");
|
||||||
|
|
||||||
/**
|
|
||||||
* The name of the attribute used for the attributes/claims of the {@link OAuth2AccessToken}.
|
|
||||||
*/
|
|
||||||
String ACCESS_TOKEN_ATTRIBUTES = OAuth2Authorization.class.getName().concat(".ACCESS_TOKEN_ATTRIBUTES");
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* The name of the attribute used for the resource owner {@code Principal}.
|
* The name of the attribute used for the resource owner {@code Principal}.
|
||||||
*/
|
*/
|
||||||
|
|||||||
@ -137,10 +137,11 @@ public class OAuth2AuthorizationCodeAuthenticationProvider implements Authentica
|
|||||||
|
|
||||||
JoseHeader headers = context.getHeaders().build();
|
JoseHeader headers = context.getHeaders().build();
|
||||||
JwtClaimsSet claims = context.getClaims().build();
|
JwtClaimsSet claims = context.getClaims().build();
|
||||||
Jwt jwt = this.jwtEncoder.encode(headers, claims);
|
Jwt jwtAccessToken = this.jwtEncoder.encode(headers, claims);
|
||||||
|
|
||||||
OAuth2AccessToken accessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER,
|
OAuth2AccessToken accessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER,
|
||||||
jwt.getTokenValue(), jwt.getIssuedAt(), jwt.getExpiresAt(), jwt.getClaim(OAuth2ParameterNames.SCOPE));
|
jwtAccessToken.getTokenValue(), jwtAccessToken.getIssuedAt(),
|
||||||
|
jwtAccessToken.getExpiresAt(), jwtAccessToken.getClaim(OAuth2ParameterNames.SCOPE));
|
||||||
|
|
||||||
OAuth2RefreshToken refreshToken = null;
|
OAuth2RefreshToken refreshToken = null;
|
||||||
if (registeredClient.getAuthorizationGrantTypes().contains(AuthorizationGrantType.REFRESH_TOKEN)) {
|
if (registeredClient.getAuthorizationGrantTypes().contains(AuthorizationGrantType.REFRESH_TOKEN)) {
|
||||||
@ -148,7 +149,7 @@ public class OAuth2AuthorizationCodeAuthenticationProvider implements Authentica
|
|||||||
registeredClient.getTokenSettings().refreshTokenTimeToLive());
|
registeredClient.getTokenSettings().refreshTokenTimeToLive());
|
||||||
}
|
}
|
||||||
|
|
||||||
OidcIdToken idToken = null;
|
Jwt jwtIdToken = null;
|
||||||
if (authorizationRequest.getScopes().contains(OidcScopes.OPENID)) {
|
if (authorizationRequest.getScopes().contains(OidcScopes.OPENID)) {
|
||||||
// @formatter:off
|
// @formatter:off
|
||||||
context = JwtEncodingContextUtils.idTokenContext(registeredClient, authorization)
|
context = JwtEncodingContextUtils.idTokenContext(registeredClient, authorization)
|
||||||
@ -161,22 +162,34 @@ public class OAuth2AuthorizationCodeAuthenticationProvider implements Authentica
|
|||||||
|
|
||||||
headers = context.getHeaders().build();
|
headers = context.getHeaders().build();
|
||||||
claims = context.getClaims().build();
|
claims = context.getClaims().build();
|
||||||
Jwt jwtIdToken = this.jwtEncoder.encode(headers, claims);
|
jwtIdToken = this.jwtEncoder.encode(headers, claims);
|
||||||
|
|
||||||
idToken = new OidcIdToken(jwtIdToken.getTokenValue(), jwtIdToken.getIssuedAt(),
|
|
||||||
jwtIdToken.getExpiresAt(), jwtIdToken.getClaims());
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
OidcIdToken idToken;
|
||||||
|
if (jwtIdToken != null) {
|
||||||
|
idToken = new OidcIdToken(jwtIdToken.getTokenValue(), jwtIdToken.getIssuedAt(),
|
||||||
|
jwtIdToken.getExpiresAt(), jwtIdToken.getClaims());
|
||||||
|
} else {
|
||||||
|
idToken = null;
|
||||||
|
}
|
||||||
|
|
||||||
|
// @formatter:off
|
||||||
OAuth2Authorization.Builder authorizationBuilder = OAuth2Authorization.from(authorization)
|
OAuth2Authorization.Builder authorizationBuilder = OAuth2Authorization.from(authorization)
|
||||||
.accessToken(accessToken)
|
.token(accessToken,
|
||||||
.attribute(OAuth2AuthorizationAttributeNames.ACCESS_TOKEN_ATTRIBUTES, jwt);
|
(metadata) ->
|
||||||
|
metadata.put(OAuth2Authorization.Token.CLAIMS_METADATA_NAME, jwtAccessToken.getClaims())
|
||||||
|
);
|
||||||
if (refreshToken != null) {
|
if (refreshToken != null) {
|
||||||
authorizationBuilder.refreshToken(refreshToken);
|
authorizationBuilder.refreshToken(refreshToken);
|
||||||
}
|
}
|
||||||
if (idToken != null) {
|
if (idToken != null) {
|
||||||
authorizationBuilder.token(idToken);
|
authorizationBuilder
|
||||||
|
.token(idToken,
|
||||||
|
(metadata) ->
|
||||||
|
metadata.put(OAuth2Authorization.Token.CLAIMS_METADATA_NAME, idToken.getClaims()));
|
||||||
}
|
}
|
||||||
authorization = authorizationBuilder.build();
|
authorization = authorizationBuilder.build();
|
||||||
|
// @formatter:on
|
||||||
|
|
||||||
// Invalidate the authorization code as it can only be used once
|
// Invalidate the authorization code as it can only be used once
|
||||||
authorization = OAuth2AuthenticationProviderUtils.invalidate(authorization, authorizationCode.getToken());
|
authorization = OAuth2AuthenticationProviderUtils.invalidate(authorization, authorizationCode.getToken());
|
||||||
|
|||||||
@ -33,7 +33,6 @@ import org.springframework.security.oauth2.jwt.Jwt;
|
|||||||
import org.springframework.security.oauth2.jwt.JwtClaimsSet;
|
import org.springframework.security.oauth2.jwt.JwtClaimsSet;
|
||||||
import org.springframework.security.oauth2.jwt.JwtEncoder;
|
import org.springframework.security.oauth2.jwt.JwtEncoder;
|
||||||
import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
|
import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
|
||||||
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationAttributeNames;
|
|
||||||
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
|
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
|
||||||
import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
|
import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
|
||||||
import org.springframework.security.oauth2.server.authorization.token.JwtEncodingContext;
|
import org.springframework.security.oauth2.server.authorization.token.JwtEncodingContext;
|
||||||
@ -117,17 +116,22 @@ public class OAuth2ClientCredentialsAuthenticationProvider implements Authentica
|
|||||||
|
|
||||||
JoseHeader headers = context.getHeaders().build();
|
JoseHeader headers = context.getHeaders().build();
|
||||||
JwtClaimsSet claims = context.getClaims().build();
|
JwtClaimsSet claims = context.getClaims().build();
|
||||||
Jwt jwt = this.jwtEncoder.encode(headers, claims);
|
Jwt jwtAccessToken = this.jwtEncoder.encode(headers, claims);
|
||||||
|
|
||||||
OAuth2AccessToken accessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER,
|
OAuth2AccessToken accessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER,
|
||||||
jwt.getTokenValue(), jwt.getIssuedAt(), jwt.getExpiresAt(), jwt.getClaim(OAuth2ParameterNames.SCOPE));
|
jwtAccessToken.getTokenValue(), jwtAccessToken.getIssuedAt(),
|
||||||
|
jwtAccessToken.getExpiresAt(), jwtAccessToken.getClaim(OAuth2ParameterNames.SCOPE));
|
||||||
|
|
||||||
|
// @formatter:off
|
||||||
OAuth2Authorization authorization = OAuth2Authorization.withRegisteredClient(registeredClient)
|
OAuth2Authorization authorization = OAuth2Authorization.withRegisteredClient(registeredClient)
|
||||||
.principalName(clientPrincipal.getName())
|
.principalName(clientPrincipal.getName())
|
||||||
.authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS)
|
.authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS)
|
||||||
.token(accessToken)
|
.token(accessToken,
|
||||||
.attribute(OAuth2AuthorizationAttributeNames.ACCESS_TOKEN_ATTRIBUTES, jwt)
|
(metadata) ->
|
||||||
|
metadata.put(OAuth2Authorization.Token.CLAIMS_METADATA_NAME, jwtAccessToken.getClaims()))
|
||||||
.build();
|
.build();
|
||||||
|
// @formatter:on
|
||||||
|
|
||||||
this.authorizationService.save(authorization);
|
this.authorizationService.save(authorization);
|
||||||
|
|
||||||
return new OAuth2AccessTokenAuthenticationToken(registeredClient, clientPrincipal, accessToken);
|
return new OAuth2AccessTokenAuthenticationToken(registeredClient, clientPrincipal, accessToken);
|
||||||
|
|||||||
@ -148,10 +148,11 @@ public class OAuth2RefreshTokenAuthenticationProvider implements AuthenticationP
|
|||||||
|
|
||||||
JoseHeader headers = context.getHeaders().build();
|
JoseHeader headers = context.getHeaders().build();
|
||||||
JwtClaimsSet claims = context.getClaims().build();
|
JwtClaimsSet claims = context.getClaims().build();
|
||||||
Jwt jwt = this.jwtEncoder.encode(headers, claims);
|
Jwt jwtAccessToken = this.jwtEncoder.encode(headers, claims);
|
||||||
|
|
||||||
OAuth2AccessToken accessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER,
|
OAuth2AccessToken accessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER,
|
||||||
jwt.getTokenValue(), jwt.getIssuedAt(), jwt.getExpiresAt(), jwt.getClaim(OAuth2ParameterNames.SCOPE));
|
jwtAccessToken.getTokenValue(), jwtAccessToken.getIssuedAt(),
|
||||||
|
jwtAccessToken.getExpiresAt(), jwtAccessToken.getClaim(OAuth2ParameterNames.SCOPE));
|
||||||
|
|
||||||
TokenSettings tokenSettings = registeredClient.getTokenSettings();
|
TokenSettings tokenSettings = registeredClient.getTokenSettings();
|
||||||
|
|
||||||
@ -160,11 +161,15 @@ public class OAuth2RefreshTokenAuthenticationProvider implements AuthenticationP
|
|||||||
currentRefreshToken = generateRefreshToken(tokenSettings.refreshTokenTimeToLive());
|
currentRefreshToken = generateRefreshToken(tokenSettings.refreshTokenTimeToLive());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// @formatter:off
|
||||||
authorization = OAuth2Authorization.from(authorization)
|
authorization = OAuth2Authorization.from(authorization)
|
||||||
.accessToken(accessToken)
|
.token(accessToken,
|
||||||
|
(metadata) ->
|
||||||
|
metadata.put(OAuth2Authorization.Token.CLAIMS_METADATA_NAME, jwtAccessToken.getClaims()))
|
||||||
.refreshToken(currentRefreshToken)
|
.refreshToken(currentRefreshToken)
|
||||||
.attribute(OAuth2AuthorizationAttributeNames.ACCESS_TOKEN_ATTRIBUTES, jwt)
|
|
||||||
.build();
|
.build();
|
||||||
|
// @formatter:on
|
||||||
|
|
||||||
this.authorizationService.save(authorization);
|
this.authorizationService.save(authorization);
|
||||||
|
|
||||||
return new OAuth2AccessTokenAuthenticationToken(
|
return new OAuth2AccessTokenAuthenticationToken(
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user