diff --git a/crypto/src/main/java/org/springframework/security/crypto/keygen/Base64StringKeyGenerator.java b/crypto/src/main/java/org/springframework/security/crypto/keygen/Base64StringKeyGenerator.java
new file mode 100644
index 0000000000..fd13999d17
--- /dev/null
+++ b/crypto/src/main/java/org/springframework/security/crypto/keygen/Base64StringKeyGenerator.java
@@ -0,0 +1,79 @@
+/*
+ * Copyright 2002-2017 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.crypto.keygen;
+
+import java.util.Base64;
+
+/**
+ * A StringKeyGenerator that generates base64-encoded String keys. Delegates to a
+ * {@link BytesKeyGenerator} for the actual key generation.
+ *
+ * @author Joe Grandja
+ * @author Rob Winch
+ * @since 5.0
+ */
+public class Base64StringKeyGenerator implements StringKeyGenerator {
+ private static final int DEFAULT_KEY_LENGTH = 32;
+ private final BytesKeyGenerator keyGenerator;
+ private final Base64.Encoder encoder;
+
+ /**
+ * Creates an instance with keyLength of 32 bytes and standard Base64 encoding.
+ */
+ public Base64StringKeyGenerator() {
+ this(DEFAULT_KEY_LENGTH);
+ }
+
+ /**
+ * Creates an instance with the provided key length in bytes and standard Base64
+ * encoding.
+ * @param keyLength the key length in bytes
+ */
+ public Base64StringKeyGenerator(int keyLength) {
+ this(Base64.getEncoder(), keyLength);
+ }
+
+ /**
+ * Creates an instance with keyLength of 32 bytes and the provided encoder.
+ * @param encoder the encoder to use
+ */
+ public Base64StringKeyGenerator(Base64.Encoder encoder) {
+ this(encoder, DEFAULT_KEY_LENGTH);
+ }
+
+ /**
+ * Creates an instance with the provided key length and encoder.
+ * @param encoder the encoder to use
+ * @param keyLength the key length to use
+ */
+ public Base64StringKeyGenerator(Base64.Encoder encoder, int keyLength) {
+ if(encoder == null) {
+ throw new IllegalArgumentException("encode cannot be null");
+ }
+ if(keyLength < DEFAULT_KEY_LENGTH) {
+ throw new IllegalArgumentException("keyLength must be greater than or equal to" + DEFAULT_KEY_LENGTH);
+ }
+ this.encoder = encoder;
+ this.keyGenerator = KeyGenerators.secureRandom(keyLength);
+ }
+
+ @Override
+ public String generateKey() {
+ byte[] key = this.keyGenerator.generateKey();
+ byte[] base64EncodedKey = this.encoder.encode(key);
+ return new String(base64EncodedKey);
+ }
+}
diff --git a/crypto/src/test/java/org/springframework/security/crypto/keygen/Base64StringKeyGeneratorTests.java b/crypto/src/test/java/org/springframework/security/crypto/keygen/Base64StringKeyGeneratorTests.java
new file mode 100644
index 0000000000..e199143b52
--- /dev/null
+++ b/crypto/src/test/java/org/springframework/security/crypto/keygen/Base64StringKeyGeneratorTests.java
@@ -0,0 +1,66 @@
+/*
+ * Copyright 2002-2017 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.crypto.keygen;
+
+import org.junit.Test;
+
+import java.util.Base64;
+
+import static org.assertj.core.api.Assertions.*;
+
+/**
+ * @author Rob Winch
+ * @since 5.0
+ */
+public class Base64StringKeyGeneratorTests {
+ @Test(expected = IllegalArgumentException.class)
+ public void constructorIntWhenLessThan32ThenIllegalArgumentException() {
+ new Base64StringKeyGenerator(31);
+ }
+
+ @Test(expected = IllegalArgumentException.class)
+ public void constructorEncoderWhenEncoderNullThenThrowsIllegalArgumentException() {
+ Base64.Encoder encoder = null;
+ new Base64StringKeyGenerator(null);
+ }
+
+ @Test
+ public void generateKeyWhenDefaultConstructorThen32Bytes() {
+ String result = new Base64StringKeyGenerator().generateKey();
+ assertThat(Base64.getDecoder().decode(result.getBytes())).hasSize(32);
+ }
+
+ @Test
+ public void generateKeyWhenCustomKeySizeThen32Bytes() {
+ int size = 40;
+ String result = new Base64StringKeyGenerator(size).generateKey();
+ assertThat(Base64.getDecoder().decode(result.getBytes())).hasSize(size);
+ }
+
+ @Test
+ public void generateKeyWhenBase64Then32Bytes() {
+ String result = new Base64StringKeyGenerator(Base64.getUrlEncoder()).generateKey();
+ assertThat(Base64.getUrlDecoder().decode(result.getBytes())).hasSize(32);
+ }
+
+ @Test
+ public void generateKeyWhenBase64AndCustomKeySizeThen32Bytes() {
+ int size = 40;
+ String result = new Base64StringKeyGenerator(Base64.getUrlEncoder(), size).generateKey();
+ assertThat(Base64.getUrlDecoder().decode(result.getBytes())).hasSize(size);
+ }
+}
diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/AuthorizationRequestRedirectFilter.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/AuthorizationRequestRedirectFilter.java
index d62a7b244c..ed24e0207b 100644
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/AuthorizationRequestRedirectFilter.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/AuthorizationRequestRedirectFilter.java
@@ -16,6 +16,7 @@
package org.springframework.security.oauth2.client.web;
import org.springframework.http.HttpStatus;
+import org.springframework.security.crypto.keygen.Base64StringKeyGenerator;
import org.springframework.security.crypto.keygen.StringKeyGenerator;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
@@ -35,6 +36,7 @@ import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.net.URI;
+import java.util.Base64;
import java.util.HashMap;
import java.util.Map;
@@ -69,7 +71,7 @@ public class AuthorizationRequestRedirectFilter extends OncePerRequestFilter {
private final ClientRegistrationRepository clientRegistrationRepository;
private AuthorizationRequestUriBuilder authorizationRequestUriBuilder = new DefaultAuthorizationRequestUriBuilder();
private final RedirectStrategy authorizationRedirectStrategy = new DefaultRedirectStrategy();
- private final StringKeyGenerator stateGenerator = new DefaultStateGenerator();
+ private final StringKeyGenerator stateGenerator = new Base64StringKeyGenerator(Base64.getUrlEncoder());
private AuthorizationRequestRepository authorizationRequestRepository = new HttpSessionAuthorizationRequestRepository();
public AuthorizationRequestRedirectFilter(ClientRegistrationRepository clientRegistrationRepository) {
diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/DefaultStateGenerator.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/DefaultStateGenerator.java
deleted file mode 100644
index 0a5e3141b1..0000000000
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/DefaultStateGenerator.java
+++ /dev/null
@@ -1,55 +0,0 @@
-/*
- * Copyright 2012-2017 the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.springframework.security.oauth2.client.web;
-
-import org.springframework.security.crypto.keygen.BytesKeyGenerator;
-import org.springframework.security.crypto.keygen.KeyGenerators;
-import org.springframework.security.crypto.keygen.StringKeyGenerator;
-import org.springframework.security.oauth2.core.endpoint.OAuth2Parameter;
-import org.springframework.util.Assert;
-
-import java.util.Base64;
-
-/**
- * The default implementation for generating the {@link OAuth2Parameter#STATE} parameter
- * used in the Authorization Request and correlated in the Authorization Response (or Error Response).
- *
- *
- * NOTE: The value of the state parameter is an opaque String
- * used by the client to prevent cross-site request forgery, as described in
- * Section 10.12 of the specification.
- *
- * @author Joe Grandja
- * @since 5.0
- */
-public class DefaultStateGenerator implements StringKeyGenerator {
- private static final int DEFAULT_KEY_LENGTH = 32;
- private final BytesKeyGenerator keyGenerator;
-
- public DefaultStateGenerator() {
- this(DEFAULT_KEY_LENGTH);
- }
-
- public DefaultStateGenerator(int keyLength) {
- Assert.isTrue(keyLength >= DEFAULT_KEY_LENGTH, "keyLength must be greater than " + DEFAULT_KEY_LENGTH);
- this.keyGenerator = KeyGenerators.secureRandom(keyLength);
- }
-
- @Override
- public String generateKey() {
- return new String(Base64.getUrlEncoder().encode(keyGenerator.generateKey()));
- }
-}