From 1b7e761be48719b51ab9d9323ae8db4bc904be63 Mon Sep 17 00:00:00 2001
From: Joe Grandja <jgrandja@pivotal.io>
Date: Thu, 5 Oct 2017 17:05:56 -0400
Subject: [PATCH] Remove SecurityTokenRepository from
 AuthorizationCodeAuthenticationProvider constructor

Fixes gh-4591
---
 ...rizationCodeAuthenticationFilterConfigurer.java | 14 ++++----------
 .../AuthorizationCodeAuthenticationProvider.java   | 13 ++++++++-----
 2 files changed, 12 insertions(+), 15 deletions(-)

diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/AuthorizationCodeAuthenticationFilterConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/AuthorizationCodeAuthenticationFilterConfigurer.java
index c764ca8ed7..cd6a9a05ea 100644
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/AuthorizationCodeAuthenticationFilterConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/AuthorizationCodeAuthenticationFilterConfigurer.java
@@ -27,7 +27,6 @@ import org.springframework.security.oauth2.client.authentication.OAuth2UserAuthe
 import org.springframework.security.oauth2.client.authentication.jwt.JwtDecoderRegistry;
 import org.springframework.security.oauth2.client.authentication.jwt.nimbus.NimbusJwtDecoderRegistry;
 import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
-import org.springframework.security.oauth2.client.token.InMemoryAccessTokenRepository;
 import org.springframework.security.oauth2.client.token.SecurityTokenRepository;
 import org.springframework.security.oauth2.client.user.CustomUserTypesOAuth2UserService;
 import org.springframework.security.oauth2.client.user.DefaultOAuth2UserService;
@@ -130,8 +129,10 @@ final class AuthorizationCodeAuthenticationFilterConfigurer<H extends HttpSecuri
 	@Override
 	public void init(H http) throws Exception {
 		AuthorizationCodeAuthenticationProvider authorizationCodeAuthenticationProvider =
-			new AuthorizationCodeAuthenticationProvider(
-				this.getAuthorizationCodeAuthenticator(), this.getAccessTokenRepository());
+			new AuthorizationCodeAuthenticationProvider(this.getAuthorizationCodeAuthenticator());
+		if (this.accessTokenRepository != null) {
+			authorizationCodeAuthenticationProvider.setAccessTokenRepository(this.accessTokenRepository);
+		}
 		authorizationCodeAuthenticationProvider = this.postProcess(authorizationCodeAuthenticationProvider);
 		http.authenticationProvider(authorizationCodeAuthenticationProvider);
 
@@ -180,13 +181,6 @@ final class AuthorizationCodeAuthenticationFilterConfigurer<H extends HttpSecuri
 		return this.authorizationCodeTokenExchanger;
 	}
 
-	private SecurityTokenRepository<AccessToken> getAccessTokenRepository() {
-		if (this.accessTokenRepository == null) {
-			this.accessTokenRepository = new InMemoryAccessTokenRepository();
-		}
-		return this.accessTokenRepository;
-	}
-
 	private JwtDecoderRegistry getJwtDecoderRegistry() {
 		if (this.jwtDecoderRegistry == null) {
 			this.jwtDecoderRegistry = new NimbusJwtDecoderRegistry();
diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/AuthorizationCodeAuthenticationProvider.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/AuthorizationCodeAuthenticationProvider.java
index 359a436256..a0b12a0fcf 100644
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/AuthorizationCodeAuthenticationProvider.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/AuthorizationCodeAuthenticationProvider.java
@@ -18,6 +18,7 @@ package org.springframework.security.oauth2.client.authentication;
 import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.oauth2.client.token.InMemoryAccessTokenRepository;
 import org.springframework.security.oauth2.client.token.SecurityTokenRepository;
 import org.springframework.security.oauth2.core.AccessToken;
 import org.springframework.security.oauth2.oidc.client.authentication.OidcClientAuthenticationToken;
@@ -49,16 +50,13 @@ import org.springframework.util.Assert;
  */
 public class AuthorizationCodeAuthenticationProvider implements AuthenticationProvider {
 	private final AuthorizationGrantAuthenticator<AuthorizationCodeAuthenticationToken> authorizationCodeAuthenticator;
-	private final SecurityTokenRepository<AccessToken> accessTokenRepository;
+	private SecurityTokenRepository<AccessToken> accessTokenRepository = new InMemoryAccessTokenRepository();
 
 	public AuthorizationCodeAuthenticationProvider(
-			AuthorizationGrantAuthenticator<AuthorizationCodeAuthenticationToken> authorizationCodeAuthenticator,
-			SecurityTokenRepository<AccessToken> accessTokenRepository) {
+		AuthorizationGrantAuthenticator<AuthorizationCodeAuthenticationToken> authorizationCodeAuthenticator) {
 
 		Assert.notNull(authorizationCodeAuthenticator, "authorizationCodeAuthenticator cannot be null");
-		Assert.notNull(accessTokenRepository, "accessTokenRepository cannot be null");
 		this.authorizationCodeAuthenticator = authorizationCodeAuthenticator;
-		this.accessTokenRepository = accessTokenRepository;
 	}
 
 	@Override
@@ -76,6 +74,11 @@ public class AuthorizationCodeAuthenticationProvider implements AuthenticationPr
 		return oauth2ClientAuthentication;
 	}
 
+	public final void setAccessTokenRepository(SecurityTokenRepository<AccessToken> accessTokenRepository) {
+		Assert.notNull(accessTokenRepository, "accessTokenRepository cannot be null");
+		this.accessTokenRepository = accessTokenRepository;
+	}
+
 	@Override
 	public boolean supports(Class<?> authentication) {
 		return AuthorizationCodeAuthenticationToken.class.isAssignableFrom(authentication);