root
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Actions 8 Packages Projects Releases Wiki Activity

DefaultServerOAuth2AuthorizationRequestResolver requireProofKey support 

When requireProofKey=true, DefaultServerOAuth2AuthorizationRequestResolver
enables PKCE support.

Issue gh-16382
This commit is contained in:
Rob Winch 2025-01-17 14:14:55 -06:00
parent 8d3e0844c5
commit 0ed7b18f42
No known key found for this signature in database
2 changed files with 17 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/server/DefaultServerOAuth2AuthorizationRequestResolver.java
View File

@ -196,7 +196,8 @@ public class DefaultServerOAuth2AuthorizationRequestResolver implements ServerOA
// value.
applyNonce(builder);
}
if (ClientAuthenticationMethod.NONE.equals(clientRegistration.getClientAuthenticationMethod())) {
if (ClientAuthenticationMethod.NONE.equals(clientRegistration.getClientAuthenticationMethod())
|| clientRegistration.getClientSettings().isRequireProofKey()) {
DEFAULT_PKCE_APPLIER.accept(builder);
}
return builder;

15
oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/server/DefaultServerOAuth2AuthorizationRequestResolverTests.java
View File

@ -27,6 +27,7 @@ import org.springframework.http.HttpStatus;
import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
import org.springframework.mock.web.server.MockServerWebExchange;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.registration.ClientSettings;
import org.springframework.security.oauth2.client.registration.ReactiveClientRegistrationRepository;
import org.springframework.security.oauth2.client.registration.TestClientRegistrations;
import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestCustomizers;
@ -169,6 +170,20 @@ public class DefaultServerOAuth2AuthorizationRequestResolverTests {
assertPkceNotApplied(request, registration2);
}
@Test
void resolveWhenRequireProofKeyTrueThenPkceEnabled() {
ClientSettings pkceEnabled = ClientSettings.builder().requireProofKey(true).build();
ClientRegistration clientWithPkceEnabled = TestClientRegistrations.clientRegistration()
.clientSettings(pkceEnabled)
.build();
given(this.clientRegistrationRepository.findByRegistrationId(any()))
.willReturn(Mono.just(clientWithPkceEnabled));
OAuth2AuthorizationRequest request = resolve(
"/oauth2/authorization/" + clientWithPkceEnabled.getRegistrationId());
assertPkceApplied(request, clientWithPkceEnabled);
}
private void assertPkceApplied(OAuth2AuthorizationRequest authorizationRequest,
ClientRegistration clientRegistration) {
assertThat(authorizationRequest.getAdditionalParameters()).containsKey(PkceParameterNames.CODE_CHALLENGE);