From d0ebe47cd5e3cee93dff2caecea1e4f11ee907e7 Mon Sep 17 00:00:00 2001 From: Rob Winch Date: Fri, 17 Aug 2018 22:05:33 -0500 Subject: [PATCH] OAuth2LoginReactiveAuthenticationManager uses OAuth2AuthorizationCodeReactiveAuthenticationManager Issue: gh-5620 --- .../config/web/server/ServerHttpSecurity.java | 4 +- ...2AuthorizationCodeAuthenticationToken.java | 18 ++++++++ ...tionCodeReactiveAuthenticationManager.java | 2 +- ...th2LoginReactiveAuthenticationManager.java | 43 +++++++------------ ...tionCodeReactiveAuthenticationManager.java | 5 ++- ...tionCodeAuthenticationTokenConverter.java} | 10 ++--- ...ginReactiveAuthenticationManagerTests.java | 4 +- ...odeReactiveAuthenticationManagerTests.java | 11 ++--- ...CodeAuthenticationTokenConverterTest.java} | 35 +++++++-------- ...Auth2AccessTokenResponseBodyExtractor.java | 9 +++- 10 files changed, 76 insertions(+), 65 deletions(-) rename oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/server/{ServerOAuth2LoginAuthenticationTokenConverter.java => ServerOAuth2AuthorizationCodeAuthenticationTokenConverter.java} (90%) rename oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/server/{ServerOAuth2LoginAuthenticationTokenConverterTest.java => ServerOAuth2AuthorizationCodeAuthenticationTokenConverterTest.java} (87%) diff --git a/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java b/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java index c48c13270f..78d5921163 100644 --- a/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java +++ b/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java @@ -40,9 +40,9 @@ import org.springframework.security.oauth2.client.registration.ReactiveClientReg import org.springframework.security.oauth2.client.userinfo.DefaultReactiveOAuth2UserService; import org.springframework.security.oauth2.client.userinfo.ReactiveOAuth2UserService; import org.springframework.security.oauth2.client.web.server.OAuth2AuthorizationRequestRedirectWebFilter; -import org.springframework.security.oauth2.client.web.server.ServerOAuth2LoginAuthenticationTokenConverter; import org.springframework.security.oauth2.client.web.server.AuthenticatedPrincipalServerOAuth2AuthorizedClientRepository; import org.springframework.security.oauth2.client.web.server.ServerOAuth2AuthorizedClientRepository; +import org.springframework.security.oauth2.client.web.server.ServerOAuth2AuthorizationCodeAuthenticationTokenConverter; import org.springframework.security.oauth2.client.web.server.authentication.OAuth2LoginAuthenticationWebFilter; import org.springframework.security.oauth2.jwt.NimbusReactiveJwtDecoder; import org.springframework.security.oauth2.jwt.ReactiveJwtDecoder; @@ -491,7 +491,7 @@ public class ServerHttpSecurity { AuthenticationWebFilter authenticationFilter = new OAuth2LoginAuthenticationWebFilter(manager, authorizedClientRepository); authenticationFilter.setRequiresAuthenticationMatcher(new PathPatternParserServerWebExchangeMatcher("/login/oauth2/code/{registrationId}")); - authenticationFilter.setServerAuthenticationConverter(new ServerOAuth2LoginAuthenticationTokenConverter(clientRegistrationRepository)); + authenticationFilter.setServerAuthenticationConverter(new ServerOAuth2AuthorizationCodeAuthenticationTokenConverter(clientRegistrationRepository)); RedirectServerAuthenticationSuccessHandler redirectHandler = new RedirectServerAuthenticationSuccessHandler(); diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/OAuth2AuthorizationCodeAuthenticationToken.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/OAuth2AuthorizationCodeAuthenticationToken.java index 969a10a0a8..dd3ad862dd 100644 --- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/OAuth2AuthorizationCodeAuthenticationToken.java +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/OAuth2AuthorizationCodeAuthenticationToken.java @@ -25,6 +25,8 @@ import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationExch import org.springframework.util.Assert; import java.util.Collections; +import java.util.HashMap; +import java.util.Map; /** * An {@link AbstractAuthenticationToken} for the OAuth 2.0 Authorization Code Grant. @@ -39,6 +41,7 @@ import java.util.Collections; */ public class OAuth2AuthorizationCodeAuthenticationToken extends AbstractAuthenticationToken { private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID; + private Map additionalParameters = new HashMap<>(); private ClientRegistration clientRegistration; private OAuth2AuthorizationExchange authorizationExchange; private OAuth2AccessToken accessToken; @@ -86,11 +89,17 @@ public class OAuth2AuthorizationCodeAuthenticationToken extends AbstractAuthenti OAuth2AuthorizationExchange authorizationExchange, OAuth2AccessToken accessToken, @Nullable OAuth2RefreshToken refreshToken) { + this(clientRegistration, authorizationExchange, accessToken, refreshToken, Collections.emptyMap()); + } + + public OAuth2AuthorizationCodeAuthenticationToken(ClientRegistration clientRegistration, OAuth2AuthorizationExchange authorizationExchange, OAuth2AccessToken accessToken, OAuth2RefreshToken refreshToken, + Map additionalParameters) { this(clientRegistration, authorizationExchange); Assert.notNull(accessToken, "accessToken cannot be null"); this.accessToken = accessToken; this.refreshToken = refreshToken; this.setAuthenticated(true); + this.additionalParameters.putAll(additionalParameters); } @Override @@ -140,4 +149,13 @@ public class OAuth2AuthorizationCodeAuthenticationToken extends AbstractAuthenti public @Nullable OAuth2RefreshToken getRefreshToken() { return this.refreshToken; } + + /** + * Returns the additional parameters + * + * @return the additional parameters + */ + public Map getAdditionalParameters() { + return this.additionalParameters; + } } diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/OAuth2AuthorizationCodeReactiveAuthenticationManager.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/OAuth2AuthorizationCodeReactiveAuthenticationManager.java index 76c8861a0d..2092644374 100644 --- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/OAuth2AuthorizationCodeReactiveAuthenticationManager.java +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/OAuth2AuthorizationCodeReactiveAuthenticationManager.java @@ -87,7 +87,7 @@ public class OAuth2AuthorizationCodeReactiveAuthenticationManager implements OAuth2AuthorizationExchange exchange = token.getAuthorizationExchange(); OAuth2AccessToken accessToken = accessTokenResponse.getAccessToken(); OAuth2RefreshToken refreshToken = accessTokenResponse.getRefreshToken(); - return new OAuth2AuthorizationCodeAuthenticationToken(registration, exchange, accessToken, refreshToken); + return new OAuth2AuthorizationCodeAuthenticationToken(registration, exchange, accessToken, refreshToken, accessTokenResponse.getAdditionalParameters()); }; } } diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/OAuth2LoginReactiveAuthenticationManager.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/OAuth2LoginReactiveAuthenticationManager.java index 3ff33b5ecf..729f91423e 100644 --- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/OAuth2LoginReactiveAuthenticationManager.java +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/OAuth2LoginReactiveAuthenticationManager.java @@ -15,26 +15,21 @@ */ package org.springframework.security.oauth2.client.authentication; -import java.util.Collection; -import java.util.Map; - import org.springframework.security.authentication.ReactiveAuthenticationManager; import org.springframework.security.core.Authentication; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper; -import org.springframework.security.oauth2.client.OAuth2AuthorizedClient; -import org.springframework.security.oauth2.client.ReactiveOAuth2AuthorizedClientService; import org.springframework.security.oauth2.client.endpoint.OAuth2AuthorizationCodeGrantRequest; import org.springframework.security.oauth2.client.endpoint.ReactiveOAuth2AccessTokenResponseClient; import org.springframework.security.oauth2.client.userinfo.OAuth2UserRequest; import org.springframework.security.oauth2.client.userinfo.ReactiveOAuth2UserService; import org.springframework.security.oauth2.core.OAuth2AccessToken; -import org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse; import org.springframework.security.oauth2.core.user.OAuth2User; import org.springframework.util.Assert; - import reactor.core.publisher.Mono; +import java.util.Collection; +import java.util.Map; /** * An implementation of an {@link org.springframework.security.authentication.AuthenticationProvider} for OAuth 2.0 Login, @@ -62,7 +57,7 @@ import reactor.core.publisher.Mono; */ public class OAuth2LoginReactiveAuthenticationManager implements ReactiveAuthenticationManager { - private final ReactiveOAuth2AccessTokenResponseClient accessTokenResponseClient; + private final ReactiveAuthenticationManager authorizationCodeManager; private final ReactiveOAuth2UserService userService; @@ -73,18 +68,18 @@ public class OAuth2LoginReactiveAuthenticationManager implements ReactiveOAuth2UserService userService) { Assert.notNull(accessTokenResponseClient, "accessTokenResponseClient cannot be null"); Assert.notNull(userService, "userService cannot be null"); - this.accessTokenResponseClient = accessTokenResponseClient; + this.authorizationCodeManager = new OAuth2AuthorizationCodeReactiveAuthenticationManager(accessTokenResponseClient); this.userService = userService; } @Override public Mono authenticate(Authentication authentication) { return Mono.defer(() -> { - OAuth2LoginAuthenticationToken authorizationCodeAuthentication = (OAuth2LoginAuthenticationToken) authentication; + OAuth2AuthorizationCodeAuthenticationToken token = (OAuth2AuthorizationCodeAuthenticationToken) authentication; // Section 3.1.2.1 Authentication Request - http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest // scope REQUIRED. OpenID Connect requests MUST contain the "openid" scope value. - if (authorizationCodeAuthentication.getAuthorizationExchange() + if (token.getAuthorizationExchange() .getAuthorizationRequest().getScopes().contains("openid")) { // This is an OpenID Connect Authentication Request so return null // and let OidcAuthorizationCodeReactiveAuthenticationManager handle it instead once one is created @@ -92,34 +87,28 @@ public class OAuth2LoginReactiveAuthenticationManager implements // return Mono.empty(); } - OAuth2AuthorizationExchangeValidator.validate(authorizationCodeAuthentication.getAuthorizationExchange()); - - OAuth2AuthorizationCodeGrantRequest authzRequest = new OAuth2AuthorizationCodeGrantRequest( - authorizationCodeAuthentication.getClientRegistration(), - authorizationCodeAuthentication.getAuthorizationExchange()); - - return this.accessTokenResponseClient.getTokenResponse(authzRequest) - .flatMap(accessTokenResponse -> authenticationResult(authorizationCodeAuthentication, accessTokenResponse)); + return this.authorizationCodeManager.authenticate(token) + .cast(OAuth2AuthorizationCodeAuthenticationToken.class) + .flatMap(this::onSuccess); }); } - private Mono authenticationResult(OAuth2LoginAuthenticationToken authorizationCodeAuthentication, OAuth2AccessTokenResponse accessTokenResponse) { - OAuth2AccessToken accessToken = accessTokenResponse.getAccessToken(); - Map additionalParameters = accessTokenResponse.getAdditionalParameters(); - OAuth2UserRequest userRequest = new OAuth2UserRequest( - authorizationCodeAuthentication.getClientRegistration(), accessToken, additionalParameters); + private Mono onSuccess(OAuth2AuthorizationCodeAuthenticationToken authentication) { + OAuth2AccessToken accessToken = authentication.getAccessToken(); + Map additionalParameters = authentication.getAdditionalParameters(); + OAuth2UserRequest userRequest = new OAuth2UserRequest(authentication.getClientRegistration(), accessToken, additionalParameters); return this.userService.loadUser(userRequest) .map(oauth2User -> { Collection mappedAuthorities = this.authoritiesMapper.mapAuthorities(oauth2User.getAuthorities()); OAuth2LoginAuthenticationToken authenticationResult = new OAuth2LoginAuthenticationToken( - authorizationCodeAuthentication.getClientRegistration(), - authorizationCodeAuthentication.getAuthorizationExchange(), + authentication.getClientRegistration(), + authentication.getAuthorizationExchange(), oauth2User, mappedAuthorities, accessToken, - accessTokenResponse.getRefreshToken()); + authentication.getRefreshToken()); return authenticationResult; }); } diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/authentication/OidcAuthorizationCodeReactiveAuthenticationManager.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/authentication/OidcAuthorizationCodeReactiveAuthenticationManager.java index c3a373ded9..c2a5336fab 100644 --- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/authentication/OidcAuthorizationCodeReactiveAuthenticationManager.java +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/authentication/OidcAuthorizationCodeReactiveAuthenticationManager.java @@ -19,6 +19,7 @@ import org.springframework.security.authentication.ReactiveAuthenticationManager import org.springframework.security.core.Authentication; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper; +import org.springframework.security.oauth2.client.authentication.OAuth2AuthorizationCodeAuthenticationToken; import org.springframework.security.oauth2.client.authentication.OAuth2LoginAuthenticationToken; import org.springframework.security.oauth2.client.endpoint.OAuth2AuthorizationCodeGrantRequest; import org.springframework.security.oauth2.client.endpoint.ReactiveOAuth2AccessTokenResponseClient; @@ -98,7 +99,7 @@ public class OidcAuthorizationCodeReactiveAuthenticationManager implements @Override public Mono authenticate(Authentication authentication) { return Mono.defer(() -> { - OAuth2LoginAuthenticationToken authorizationCodeAuthentication = (OAuth2LoginAuthenticationToken) authentication; + OAuth2AuthorizationCodeAuthenticationToken authorizationCodeAuthentication = (OAuth2AuthorizationCodeAuthenticationToken) authentication; // Section 3.1.2.1 Authentication Request - http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest // scope REQUIRED. OpenID Connect requests MUST contain the "openid" scope value. @@ -149,7 +150,7 @@ public class OidcAuthorizationCodeReactiveAuthenticationManager implements this.decoderFactory = decoderFactory; } - private Mono authenticationResult(OAuth2LoginAuthenticationToken authorizationCodeAuthentication, OAuth2AccessTokenResponse accessTokenResponse) { + private Mono authenticationResult(OAuth2AuthorizationCodeAuthenticationToken authorizationCodeAuthentication, OAuth2AccessTokenResponse accessTokenResponse) { OAuth2AccessToken accessToken = accessTokenResponse.getAccessToken(); ClientRegistration clientRegistration = authorizationCodeAuthentication.getClientRegistration(); Map additionalParameters = accessTokenResponse.getAdditionalParameters(); diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/server/ServerOAuth2LoginAuthenticationTokenConverter.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/server/ServerOAuth2AuthorizationCodeAuthenticationTokenConverter.java similarity index 90% rename from oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/server/ServerOAuth2LoginAuthenticationTokenConverter.java rename to oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/server/ServerOAuth2AuthorizationCodeAuthenticationTokenConverter.java index 492bc68def..23e4e32b71 100644 --- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/server/ServerOAuth2LoginAuthenticationTokenConverter.java +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/server/ServerOAuth2AuthorizationCodeAuthenticationTokenConverter.java @@ -17,6 +17,7 @@ package org.springframework.security.oauth2.client.web.server; import org.springframework.security.core.Authentication; +import org.springframework.security.oauth2.client.authentication.OAuth2AuthorizationCodeAuthenticationToken; import org.springframework.security.oauth2.client.authentication.OAuth2LoginAuthenticationToken; import org.springframework.security.oauth2.client.registration.ReactiveClientRegistrationRepository; import org.springframework.security.oauth2.core.OAuth2AuthenticationException; @@ -30,7 +31,6 @@ import org.springframework.util.Assert; import org.springframework.util.MultiValueMap; import org.springframework.web.server.ServerWebExchange; import org.springframework.web.util.UriComponentsBuilder; - import reactor.core.publisher.Mono; /** @@ -40,7 +40,7 @@ import reactor.core.publisher.Mono; * @since 5.1 * @see org.springframework.security.web.server.authentication.AuthenticationWebFilter#setServerAuthenticationConverter(ServerAuthenticationConverter) */ -public class ServerOAuth2LoginAuthenticationTokenConverter +public class ServerOAuth2AuthorizationCodeAuthenticationTokenConverter implements ServerAuthenticationConverter { static final String AUTHORIZATION_REQUEST_NOT_FOUND_ERROR_CODE = "authorization_request_not_found"; @@ -52,7 +52,7 @@ public class ServerOAuth2LoginAuthenticationTokenConverter private final ReactiveClientRegistrationRepository clientRegistrationRepository; - public ServerOAuth2LoginAuthenticationTokenConverter( + public ServerOAuth2AuthorizationCodeAuthenticationTokenConverter( ReactiveClientRegistrationRepository clientRegistrationRepository) { Assert.notNull(clientRegistrationRepository, "clientRegistrationRepository cannot be null"); this.clientRegistrationRepository = clientRegistrationRepository; @@ -83,7 +83,7 @@ public class ServerOAuth2LoginAuthenticationTokenConverter }); } - private Mono authenticationRequest(ServerWebExchange exchange, OAuth2AuthorizationRequest authorizationRequest) { + private Mono authenticationRequest(ServerWebExchange exchange, OAuth2AuthorizationRequest authorizationRequest) { return Mono.just(authorizationRequest) .map(OAuth2AuthorizationRequest::getAdditionalParameters) .flatMap(additionalParams -> { @@ -96,7 +96,7 @@ public class ServerOAuth2LoginAuthenticationTokenConverter .switchIfEmpty(oauth2AuthenticationException(CLIENT_REGISTRATION_NOT_FOUND_ERROR_CODE)) .map(clientRegistration -> { OAuth2AuthorizationResponse authorizationResponse = convertResponse(exchange); - OAuth2LoginAuthenticationToken authenticationRequest = new OAuth2LoginAuthenticationToken( + OAuth2AuthorizationCodeAuthenticationToken authenticationRequest = new OAuth2AuthorizationCodeAuthenticationToken( clientRegistration, new OAuth2AuthorizationExchange(authorizationRequest, authorizationResponse)); return authenticationRequest; }); diff --git a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/authentication/OAuth2LoginReactiveAuthenticationManagerTests.java b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/authentication/OAuth2LoginReactiveAuthenticationManagerTests.java index da2707b678..705225c358 100644 --- a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/authentication/OAuth2LoginReactiveAuthenticationManagerTests.java +++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/authentication/OAuth2LoginReactiveAuthenticationManagerTests.java @@ -178,7 +178,7 @@ public class OAuth2LoginReactiveAuthenticationManagerTests { .containsAllEntriesOf(accessTokenResponse.getAdditionalParameters()); } - private OAuth2LoginAuthenticationToken loginToken() { + private OAuth2AuthorizationCodeAuthenticationToken loginToken() { ClientRegistration clientRegistration = this.registration.build(); OAuth2AuthorizationRequest authorizationRequest = OAuth2AuthorizationRequest .authorizationCode() @@ -193,6 +193,6 @@ public class OAuth2LoginReactiveAuthenticationManagerTests { .build(); OAuth2AuthorizationExchange authorizationExchange = new OAuth2AuthorizationExchange(authorizationRequest, authorizationResponse); - return new OAuth2LoginAuthenticationToken(clientRegistration, authorizationExchange); + return new OAuth2AuthorizationCodeAuthenticationToken(clientRegistration, authorizationExchange); } } diff --git a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/oidc/authentication/OidcAuthorizationCodeReactiveAuthenticationManagerTests.java b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/oidc/authentication/OidcAuthorizationCodeReactiveAuthenticationManagerTests.java index 452f729094..72b34ebc3c 100644 --- a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/oidc/authentication/OidcAuthorizationCodeReactiveAuthenticationManagerTests.java +++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/oidc/authentication/OidcAuthorizationCodeReactiveAuthenticationManagerTests.java @@ -24,7 +24,7 @@ import org.mockito.Mock; import org.mockito.junit.MockitoJUnitRunner; import org.springframework.security.authentication.TestingAuthenticationToken; import org.springframework.security.core.authority.AuthorityUtils; -import org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken; +import org.springframework.security.oauth2.client.authentication.OAuth2AuthorizationCodeAuthenticationToken; import org.springframework.security.oauth2.client.authentication.OAuth2LoginAuthenticationToken; import org.springframework.security.oauth2.client.endpoint.OAuth2AuthorizationCodeGrantRequest; import org.springframework.security.oauth2.client.endpoint.ReactiveOAuth2AccessTokenResponseClient; @@ -182,7 +182,7 @@ public class OidcAuthorizationCodeReactiveAuthenticationManagerTests { when(this.jwtDecoder.decode(any())).thenReturn(Mono.just(idToken)); this.manager.setDecoderFactory(c -> this.jwtDecoder); - OAuth2AuthenticationToken result = (OAuth2AuthenticationToken) this.manager.authenticate(loginToken()).block(); + OAuth2LoginAuthenticationToken result = (OAuth2LoginAuthenticationToken) this.manager.authenticate(loginToken()).block(); assertThat(result.getPrincipal()).isEqualTo(user); assertThat(result.getAuthorities()).containsOnlyElementsOf(user.getAuthorities()); @@ -192,6 +192,7 @@ public class OidcAuthorizationCodeReactiveAuthenticationManagerTests { // gh-5368 @Test public void authenticateWhenTokenSuccessResponseThenAdditionalParametersAddedToUserRequest() { + ClientRegistration clientRegistration = this.registration.build(); Map additionalParameters = new HashMap<>(); additionalParameters.put(OidcParameterNames.ID_TOKEN, this.idToken.getTokenValue()); additionalParameters.put("param1", "value1"); @@ -204,7 +205,7 @@ public class OidcAuthorizationCodeReactiveAuthenticationManagerTests { Map claims = new HashMap<>(); claims.put(IdTokenClaimNames.ISS, "https://issuer.example.com"); claims.put(IdTokenClaimNames.SUB, "rob"); - claims.put(IdTokenClaimNames.AUD, Arrays.asList("clientId")); + claims.put(IdTokenClaimNames.AUD, Arrays.asList(clientRegistration.getClientId())); Instant issuedAt = Instant.now(); Instant expiresAt = Instant.from(issuedAt).plusSeconds(3600); Jwt idToken = new Jwt("id-token", issuedAt, expiresAt, claims, claims); @@ -222,7 +223,7 @@ public class OidcAuthorizationCodeReactiveAuthenticationManagerTests { .containsAllEntriesOf(accessTokenResponse.getAdditionalParameters()); } - private OAuth2LoginAuthenticationToken loginToken() { + private OAuth2AuthorizationCodeAuthenticationToken loginToken() { ClientRegistration clientRegistration = this.registration.build(); OAuth2AuthorizationRequest authorizationRequest = OAuth2AuthorizationRequest .authorizationCode() @@ -237,6 +238,6 @@ public class OidcAuthorizationCodeReactiveAuthenticationManagerTests { .build(); OAuth2AuthorizationExchange authorizationExchange = new OAuth2AuthorizationExchange(authorizationRequest, authorizationResponse); - return new OAuth2LoginAuthenticationToken(clientRegistration, authorizationExchange); + return new OAuth2AuthorizationCodeAuthenticationToken(clientRegistration, authorizationExchange); } } diff --git a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/server/ServerOAuth2LoginAuthenticationTokenConverterTest.java b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/server/ServerOAuth2AuthorizationCodeAuthenticationTokenConverterTest.java similarity index 87% rename from oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/server/ServerOAuth2LoginAuthenticationTokenConverterTest.java rename to oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/server/ServerOAuth2AuthorizationCodeAuthenticationTokenConverterTest.java index e65530f224..c21eba9c9a 100644 --- a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/server/ServerOAuth2LoginAuthenticationTokenConverterTest.java +++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/server/ServerOAuth2AuthorizationCodeAuthenticationTokenConverterTest.java @@ -16,13 +16,6 @@ package org.springframework.security.oauth2.client.web.server; -import static org.assertj.core.api.Assertions.assertThat; -import static org.assertj.core.api.Assertions.assertThatThrownBy; -import static org.mockito.ArgumentMatchers.any; -import static org.mockito.Mockito.when; - -import java.util.Collections; - import org.junit.Before; import org.junit.Test; import org.junit.runner.RunWith; @@ -30,7 +23,7 @@ import org.mockito.Mock; import org.mockito.junit.MockitoJUnitRunner; import org.springframework.mock.http.server.reactive.MockServerHttpRequest; import org.springframework.mock.web.server.MockServerWebExchange; -import org.springframework.security.oauth2.client.authentication.OAuth2LoginAuthenticationToken; +import org.springframework.security.oauth2.client.authentication.OAuth2AuthorizationCodeAuthenticationToken; import org.springframework.security.oauth2.client.registration.ClientRegistration; import org.springframework.security.oauth2.client.registration.ReactiveClientRegistrationRepository; import org.springframework.security.oauth2.core.AuthorizationGrantType; @@ -39,15 +32,21 @@ import org.springframework.security.oauth2.core.OAuth2AuthenticationException; import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest; import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationResponse; import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames; - import reactor.core.publisher.Mono; +import java.util.Collections; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.assertj.core.api.Assertions.assertThatThrownBy; +import static org.mockito.ArgumentMatchers.any; +import static org.mockito.Mockito.when; + /** * @author Rob Winch * @since 5.1 */ @RunWith(MockitoJUnitRunner.class) -public class ServerOAuth2LoginAuthenticationTokenConverterTest { +public class ServerOAuth2AuthorizationCodeAuthenticationTokenConverterTest { @Mock private ReactiveClientRegistrationRepository clientRegistrationRepository; @@ -79,11 +78,11 @@ public class ServerOAuth2LoginAuthenticationTokenConverterTest { private final MockServerHttpRequest.BaseBuilder request = MockServerHttpRequest.get("/"); - private ServerOAuth2LoginAuthenticationTokenConverter converter; + private ServerOAuth2AuthorizationCodeAuthenticationTokenConverter converter; @Before public void setup() { - this.converter = new ServerOAuth2LoginAuthenticationTokenConverter(this.clientRegistrationRepository); + this.converter = new ServerOAuth2AuthorizationCodeAuthenticationTokenConverter(this.clientRegistrationRepository); this.converter.setAuthorizationRequestRepository(this.authorizationRequestRepository); } @@ -102,8 +101,7 @@ public class ServerOAuth2LoginAuthenticationTokenConverterTest { assertThatThrownBy(() -> applyConverter()) .isInstanceOf(OAuth2AuthenticationException.class) - .hasMessageContaining( - ServerOAuth2LoginAuthenticationTokenConverter.CLIENT_REGISTRATION_NOT_FOUND_ERROR_CODE); + .hasMessageContaining(ServerOAuth2AuthorizationCodeAuthenticationTokenConverter.CLIENT_REGISTRATION_NOT_FOUND_ERROR_CODE); } @Test @@ -113,8 +111,7 @@ public class ServerOAuth2LoginAuthenticationTokenConverterTest { assertThatThrownBy(() -> applyConverter()) .isInstanceOf(OAuth2AuthenticationException.class) - .hasMessageContaining( - ServerOAuth2LoginAuthenticationTokenConverter.CLIENT_REGISTRATION_NOT_FOUND_ERROR_CODE); + .hasMessageContaining(ServerOAuth2AuthorizationCodeAuthenticationTokenConverter.CLIENT_REGISTRATION_NOT_FOUND_ERROR_CODE); } @Test @@ -133,7 +130,7 @@ public class ServerOAuth2LoginAuthenticationTokenConverterTest { when(this.authorizationRequestRepository.removeAuthorizationRequest(any())).thenReturn(Mono.just(this.authorizationRequest.build())); when(this.clientRegistrationRepository.findByRegistrationId(any())).thenReturn(Mono.just(this.clientRegistration)); - OAuth2LoginAuthenticationToken result = applyConverter(); + OAuth2AuthorizationCodeAuthenticationToken result = applyConverter(); OAuth2AuthorizationResponse exchange = result .getAuthorizationExchange().getAuthorizationResponse(); @@ -141,8 +138,8 @@ public class ServerOAuth2LoginAuthenticationTokenConverterTest { assertThat(exchange.getCode()).isEqualTo("code"); } - private OAuth2LoginAuthenticationToken applyConverter() { + private OAuth2AuthorizationCodeAuthenticationToken applyConverter() { MockServerWebExchange exchange = MockServerWebExchange.from(this.request); - return (OAuth2LoginAuthenticationToken) this.converter.convert(exchange).block(); + return (OAuth2AuthorizationCodeAuthenticationToken) this.converter.convert(exchange).block(); } } diff --git a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/web/reactive/function/OAuth2AccessTokenResponseBodyExtractor.java b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/web/reactive/function/OAuth2AccessTokenResponseBodyExtractor.java index 188f2bd0d5..897620aa47 100644 --- a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/web/reactive/function/OAuth2AccessTokenResponseBodyExtractor.java +++ b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/web/reactive/function/OAuth2AccessTokenResponseBodyExtractor.java @@ -112,7 +112,12 @@ class OAuth2AccessTokenResponseBodyExtractor Map additionalParameters = new LinkedHashMap<>(accessTokenResponse.getCustomParameters()); - return OAuth2AccessTokenResponse.withToken(accessToken.getValue()).tokenType(accessTokenType).expiresIn(expiresIn).scopes(scopes) - .refreshToken(refreshToken).additionalParameters(additionalParameters).build(); + return OAuth2AccessTokenResponse.withToken(accessToken.getValue()) + .tokenType(accessTokenType) + .expiresIn(expiresIn) + .scopes(scopes) + .refreshToken(refreshToken) + .additionalParameters(additionalParameters) + .build(); } }