scopes_supported metadata not used as default in ClientRegistrations

Closes gh-8514
This commit is contained in:
Martin Vietz 2020-07-02 12:26:34 +02:00 committed by Joe Grandja
parent 21e9a410ee
commit 0486d5add9
3 changed files with 2 additions and 51 deletions

View File

@ -152,7 +152,7 @@ public class ClientRegistrationsBeanDefinitionParserTests {
assertThat(googleRegistration.getClientAuthenticationMethod()).isEqualTo(ClientAuthenticationMethod.BASIC); assertThat(googleRegistration.getClientAuthenticationMethod()).isEqualTo(ClientAuthenticationMethod.BASIC);
assertThat(googleRegistration.getAuthorizationGrantType()).isEqualTo(AuthorizationGrantType.AUTHORIZATION_CODE); assertThat(googleRegistration.getAuthorizationGrantType()).isEqualTo(AuthorizationGrantType.AUTHORIZATION_CODE);
assertThat(googleRegistration.getRedirectUri()).isEqualTo("{baseUrl}/{action}/oauth2/code/{registrationId}"); assertThat(googleRegistration.getRedirectUri()).isEqualTo("{baseUrl}/{action}/oauth2/code/{registrationId}");
assertThat(googleRegistration.getScopes()).isEqualTo(StringUtils.commaDelimitedListToSet("openid,profile,email")); assertThat(googleRegistration.getScopes()).isNull();
assertThat(googleRegistration.getClientName()).isEqualTo(serverUrl); assertThat(googleRegistration.getClientName()).isEqualTo(serverUrl);
ProviderDetails googleProviderDetails = googleRegistration.getProviderDetails(); ProviderDetails googleProviderDetails = googleRegistration.getProviderDetails();

View File

@ -25,7 +25,6 @@ import java.util.function.Supplier;
import com.nimbusds.oauth2.sdk.GrantType; import com.nimbusds.oauth2.sdk.GrantType;
import com.nimbusds.oauth2.sdk.ParseException; import com.nimbusds.oauth2.sdk.ParseException;
import com.nimbusds.oauth2.sdk.Scope;
import com.nimbusds.oauth2.sdk.as.AuthorizationServerMetadata; import com.nimbusds.oauth2.sdk.as.AuthorizationServerMetadata;
import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata; import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
import net.minidev.json.JSONObject; import net.minidev.json.JSONObject;
@ -35,7 +34,6 @@ import org.springframework.http.RequestEntity;
import org.springframework.security.oauth2.core.AuthorizationGrantType; import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.core.ClientAuthenticationMethod; import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
import org.springframework.security.oauth2.core.oidc.IdTokenClaimNames; import org.springframework.security.oauth2.core.oidc.IdTokenClaimNames;
import org.springframework.security.oauth2.core.oidc.OidcScopes;
import org.springframework.util.Assert; import org.springframework.util.Assert;
import org.springframework.web.client.HttpClientErrorException; import org.springframework.web.client.HttpClientErrorException;
import org.springframework.web.client.RestTemplate; import org.springframework.web.client.RestTemplate;
@ -236,12 +234,10 @@ public final class ClientRegistrations {
throw new IllegalArgumentException("Only AuthorizationGrantType.AUTHORIZATION_CODE is supported. The issuer \"" + issuer + throw new IllegalArgumentException("Only AuthorizationGrantType.AUTHORIZATION_CODE is supported. The issuer \"" + issuer +
"\" returned a configuration of " + grantTypes); "\" returned a configuration of " + grantTypes);
} }
List<String> scopes = getScopes(metadata);
Map<String, Object> configurationMetadata = new LinkedHashMap<>(metadata.toJSONObject()); Map<String, Object> configurationMetadata = new LinkedHashMap<>(metadata.toJSONObject());
return ClientRegistration.withRegistrationId(name) return ClientRegistration.withRegistrationId(name)
.userNameAttributeName(IdTokenClaimNames.SUB) .userNameAttributeName(IdTokenClaimNames.SUB)
.scope(scopes)
.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE) .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
.clientAuthenticationMethod(method) .clientAuthenticationMethod(method)
.redirectUri("{baseUrl}/{action}/oauth2/code/{registrationId}") .redirectUri("{baseUrl}/{action}/oauth2/code/{registrationId}")
@ -268,16 +264,6 @@ public final class ClientRegistrations {
+ "ClientAuthenticationMethod.NONE are supported. The issuer \"" + issuer + "\" returned a configuration of " + metadataAuthMethods); + "ClientAuthenticationMethod.NONE are supported. The issuer \"" + issuer + "\" returned a configuration of " + metadataAuthMethods);
} }
private static List<String> getScopes(AuthorizationServerMetadata metadata) {
Scope scope = metadata.getScopes();
if (scope == null) {
// If null, default to "openid" which must be supported
return Collections.singletonList(OidcScopes.OPENID);
} else {
return scope.toStringList();
}
}
private ClientRegistrations() {} private ClientRegistrations() {}
} }

View File

@ -158,7 +158,7 @@ public class ClientRegistrationsTest {
assertThat(registration.getAuthorizationGrantType()).isEqualTo(AuthorizationGrantType.AUTHORIZATION_CODE); assertThat(registration.getAuthorizationGrantType()).isEqualTo(AuthorizationGrantType.AUTHORIZATION_CODE);
assertThat(registration.getRegistrationId()).isEqualTo(this.server.getHostName()); assertThat(registration.getRegistrationId()).isEqualTo(this.server.getHostName());
assertThat(registration.getClientName()).isEqualTo(this.issuer); assertThat(registration.getClientName()).isEqualTo(this.issuer);
assertThat(registration.getScopes()).containsOnly("openid", "email", "profile"); assertThat(registration.getScopes()).isNull();
assertThat(provider.getAuthorizationUri()).isEqualTo("https://example.com/o/oauth2/v2/auth"); assertThat(provider.getAuthorizationUri()).isEqualTo("https://example.com/o/oauth2/v2/auth");
assertThat(provider.getTokenUri()).isEqualTo("https://example.com/oauth2/v4/token"); assertThat(provider.getTokenUri()).isEqualTo("https://example.com/oauth2/v4/token");
assertThat(provider.getJwkSetUri()).isEqualTo("https://example.com/oauth2/v3/certs"); assertThat(provider.getJwkSetUri()).isEqualTo("https://example.com/oauth2/v3/certs");
@ -222,41 +222,6 @@ public class ClientRegistrationsTest {
assertThat(this.issuer).endsWith("/"); assertThat(this.issuer).endsWith("/");
} }
/**
* https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
*
* RECOMMENDED. JSON array containing a list of the OAuth 2.0 [RFC6749] scope values that this server supports. The
* server MUST support the openid scope value.
* @throws Exception
*/
@Test
public void issuerWhenScopesNullThenScopesDefaulted() throws Exception {
this.response.remove("scopes_supported");
ClientRegistration registration = registration("").build();
assertThat(registration.getScopes()).containsOnly("openid");
}
@Test
public void issuerWhenOidcFallbackScopesNullThenScopesDefaulted() throws Exception {
this.response.remove("scopes_supported");
ClientRegistration registration = registrationOidcFallback("", null).build();
assertThat(registration.getScopes()).containsOnly("openid");
}
@Test
public void issuerWhenOAuth2ScopesNullThenScopesDefaulted() throws Exception {
this.response.remove("scopes_supported");
ClientRegistration registration = registrationOAuth2("", null).build();
assertThat(registration.getScopes()).containsOnly("openid");
}
@Test @Test
public void issuerWhenGrantTypesSupportedNullThenDefaulted() throws Exception { public void issuerWhenGrantTypesSupportedNullThenDefaulted() throws Exception {
this.response.remove("grant_types_supported"); this.response.remove("grant_types_supported");