scopes_supported metadata not used as default in ClientRegistrations
Closes gh-8514
This commit is contained in:
parent
21e9a410ee
commit
0486d5add9
|
@ -152,7 +152,7 @@ public class ClientRegistrationsBeanDefinitionParserTests {
|
||||||
assertThat(googleRegistration.getClientAuthenticationMethod()).isEqualTo(ClientAuthenticationMethod.BASIC);
|
assertThat(googleRegistration.getClientAuthenticationMethod()).isEqualTo(ClientAuthenticationMethod.BASIC);
|
||||||
assertThat(googleRegistration.getAuthorizationGrantType()).isEqualTo(AuthorizationGrantType.AUTHORIZATION_CODE);
|
assertThat(googleRegistration.getAuthorizationGrantType()).isEqualTo(AuthorizationGrantType.AUTHORIZATION_CODE);
|
||||||
assertThat(googleRegistration.getRedirectUri()).isEqualTo("{baseUrl}/{action}/oauth2/code/{registrationId}");
|
assertThat(googleRegistration.getRedirectUri()).isEqualTo("{baseUrl}/{action}/oauth2/code/{registrationId}");
|
||||||
assertThat(googleRegistration.getScopes()).isEqualTo(StringUtils.commaDelimitedListToSet("openid,profile,email"));
|
assertThat(googleRegistration.getScopes()).isNull();
|
||||||
assertThat(googleRegistration.getClientName()).isEqualTo(serverUrl);
|
assertThat(googleRegistration.getClientName()).isEqualTo(serverUrl);
|
||||||
|
|
||||||
ProviderDetails googleProviderDetails = googleRegistration.getProviderDetails();
|
ProviderDetails googleProviderDetails = googleRegistration.getProviderDetails();
|
||||||
|
|
|
@ -25,7 +25,6 @@ import java.util.function.Supplier;
|
||||||
|
|
||||||
import com.nimbusds.oauth2.sdk.GrantType;
|
import com.nimbusds.oauth2.sdk.GrantType;
|
||||||
import com.nimbusds.oauth2.sdk.ParseException;
|
import com.nimbusds.oauth2.sdk.ParseException;
|
||||||
import com.nimbusds.oauth2.sdk.Scope;
|
|
||||||
import com.nimbusds.oauth2.sdk.as.AuthorizationServerMetadata;
|
import com.nimbusds.oauth2.sdk.as.AuthorizationServerMetadata;
|
||||||
import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
|
import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
|
||||||
import net.minidev.json.JSONObject;
|
import net.minidev.json.JSONObject;
|
||||||
|
@ -35,7 +34,6 @@ import org.springframework.http.RequestEntity;
|
||||||
import org.springframework.security.oauth2.core.AuthorizationGrantType;
|
import org.springframework.security.oauth2.core.AuthorizationGrantType;
|
||||||
import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
|
import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
|
||||||
import org.springframework.security.oauth2.core.oidc.IdTokenClaimNames;
|
import org.springframework.security.oauth2.core.oidc.IdTokenClaimNames;
|
||||||
import org.springframework.security.oauth2.core.oidc.OidcScopes;
|
|
||||||
import org.springframework.util.Assert;
|
import org.springframework.util.Assert;
|
||||||
import org.springframework.web.client.HttpClientErrorException;
|
import org.springframework.web.client.HttpClientErrorException;
|
||||||
import org.springframework.web.client.RestTemplate;
|
import org.springframework.web.client.RestTemplate;
|
||||||
|
@ -236,12 +234,10 @@ public final class ClientRegistrations {
|
||||||
throw new IllegalArgumentException("Only AuthorizationGrantType.AUTHORIZATION_CODE is supported. The issuer \"" + issuer +
|
throw new IllegalArgumentException("Only AuthorizationGrantType.AUTHORIZATION_CODE is supported. The issuer \"" + issuer +
|
||||||
"\" returned a configuration of " + grantTypes);
|
"\" returned a configuration of " + grantTypes);
|
||||||
}
|
}
|
||||||
List<String> scopes = getScopes(metadata);
|
|
||||||
Map<String, Object> configurationMetadata = new LinkedHashMap<>(metadata.toJSONObject());
|
Map<String, Object> configurationMetadata = new LinkedHashMap<>(metadata.toJSONObject());
|
||||||
|
|
||||||
return ClientRegistration.withRegistrationId(name)
|
return ClientRegistration.withRegistrationId(name)
|
||||||
.userNameAttributeName(IdTokenClaimNames.SUB)
|
.userNameAttributeName(IdTokenClaimNames.SUB)
|
||||||
.scope(scopes)
|
|
||||||
.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
|
.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
|
||||||
.clientAuthenticationMethod(method)
|
.clientAuthenticationMethod(method)
|
||||||
.redirectUri("{baseUrl}/{action}/oauth2/code/{registrationId}")
|
.redirectUri("{baseUrl}/{action}/oauth2/code/{registrationId}")
|
||||||
|
@ -268,16 +264,6 @@ public final class ClientRegistrations {
|
||||||
+ "ClientAuthenticationMethod.NONE are supported. The issuer \"" + issuer + "\" returned a configuration of " + metadataAuthMethods);
|
+ "ClientAuthenticationMethod.NONE are supported. The issuer \"" + issuer + "\" returned a configuration of " + metadataAuthMethods);
|
||||||
}
|
}
|
||||||
|
|
||||||
private static List<String> getScopes(AuthorizationServerMetadata metadata) {
|
|
||||||
Scope scope = metadata.getScopes();
|
|
||||||
if (scope == null) {
|
|
||||||
// If null, default to "openid" which must be supported
|
|
||||||
return Collections.singletonList(OidcScopes.OPENID);
|
|
||||||
} else {
|
|
||||||
return scope.toStringList();
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
private ClientRegistrations() {}
|
private ClientRegistrations() {}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -158,7 +158,7 @@ public class ClientRegistrationsTest {
|
||||||
assertThat(registration.getAuthorizationGrantType()).isEqualTo(AuthorizationGrantType.AUTHORIZATION_CODE);
|
assertThat(registration.getAuthorizationGrantType()).isEqualTo(AuthorizationGrantType.AUTHORIZATION_CODE);
|
||||||
assertThat(registration.getRegistrationId()).isEqualTo(this.server.getHostName());
|
assertThat(registration.getRegistrationId()).isEqualTo(this.server.getHostName());
|
||||||
assertThat(registration.getClientName()).isEqualTo(this.issuer);
|
assertThat(registration.getClientName()).isEqualTo(this.issuer);
|
||||||
assertThat(registration.getScopes()).containsOnly("openid", "email", "profile");
|
assertThat(registration.getScopes()).isNull();
|
||||||
assertThat(provider.getAuthorizationUri()).isEqualTo("https://example.com/o/oauth2/v2/auth");
|
assertThat(provider.getAuthorizationUri()).isEqualTo("https://example.com/o/oauth2/v2/auth");
|
||||||
assertThat(provider.getTokenUri()).isEqualTo("https://example.com/oauth2/v4/token");
|
assertThat(provider.getTokenUri()).isEqualTo("https://example.com/oauth2/v4/token");
|
||||||
assertThat(provider.getJwkSetUri()).isEqualTo("https://example.com/oauth2/v3/certs");
|
assertThat(provider.getJwkSetUri()).isEqualTo("https://example.com/oauth2/v3/certs");
|
||||||
|
@ -222,41 +222,6 @@ public class ClientRegistrationsTest {
|
||||||
assertThat(this.issuer).endsWith("/");
|
assertThat(this.issuer).endsWith("/");
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
|
|
||||||
*
|
|
||||||
* RECOMMENDED. JSON array containing a list of the OAuth 2.0 [RFC6749] scope values that this server supports. The
|
|
||||||
* server MUST support the openid scope value.
|
|
||||||
* @throws Exception
|
|
||||||
*/
|
|
||||||
@Test
|
|
||||||
public void issuerWhenScopesNullThenScopesDefaulted() throws Exception {
|
|
||||||
this.response.remove("scopes_supported");
|
|
||||||
|
|
||||||
ClientRegistration registration = registration("").build();
|
|
||||||
|
|
||||||
assertThat(registration.getScopes()).containsOnly("openid");
|
|
||||||
}
|
|
||||||
|
|
||||||
@Test
|
|
||||||
public void issuerWhenOidcFallbackScopesNullThenScopesDefaulted() throws Exception {
|
|
||||||
this.response.remove("scopes_supported");
|
|
||||||
|
|
||||||
ClientRegistration registration = registrationOidcFallback("", null).build();
|
|
||||||
|
|
||||||
assertThat(registration.getScopes()).containsOnly("openid");
|
|
||||||
}
|
|
||||||
|
|
||||||
@Test
|
|
||||||
public void issuerWhenOAuth2ScopesNullThenScopesDefaulted() throws Exception {
|
|
||||||
this.response.remove("scopes_supported");
|
|
||||||
|
|
||||||
ClientRegistration registration = registrationOAuth2("", null).build();
|
|
||||||
|
|
||||||
assertThat(registration.getScopes()).containsOnly("openid");
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void issuerWhenGrantTypesSupportedNullThenDefaulted() throws Exception {
|
public void issuerWhenGrantTypesSupportedNullThenDefaulted() throws Exception {
|
||||||
this.response.remove("grant_types_supported");
|
this.response.remove("grant_types_supported");
|
||||||
|
|
Loading…
Reference in New Issue