diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/registration/ClientRegistration.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/registration/ClientRegistration.java index bf3f5e198c..bf390f8b94 100644 --- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/registration/ClientRegistration.java +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/registration/ClientRegistration.java @@ -463,10 +463,9 @@ public final class ClientRegistration { Assert.hasText(this.clientSecret, "clientSecret cannot be empty"); Assert.notNull(this.clientAuthenticationMethod, "clientAuthenticationMethod cannot be null"); Assert.hasText(this.redirectUriTemplate, "redirectUriTemplate cannot be empty"); - Assert.notEmpty(this.scopes, "scopes cannot be empty"); Assert.hasText(this.authorizationUri, "authorizationUri cannot be empty"); Assert.hasText(this.tokenUri, "tokenUri cannot be empty"); - if (this.scopes.contains(OidcScopes.OPENID)) { + if (this.scopes != null && this.scopes.contains(OidcScopes.OPENID)) { // OIDC Clients need to verify/validate the ID Token Assert.hasText(this.jwkSetUri, "jwkSetUri cannot be empty"); } @@ -479,7 +478,6 @@ public final class ClientRegistration { Assert.hasText(this.registrationId, "registrationId cannot be empty"); Assert.hasText(this.clientId, "clientId cannot be empty"); Assert.hasText(this.redirectUriTemplate, "redirectUriTemplate cannot be empty"); - Assert.notEmpty(this.scopes, "scopes cannot be empty"); Assert.hasText(this.authorizationUri, "authorizationUri cannot be empty"); Assert.hasText(this.clientName, "clientName cannot be empty"); } diff --git a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/registration/ClientRegistrationTests.java b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/registration/ClientRegistrationTests.java index 95f23bd833..0a9c096950 100644 --- a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/registration/ClientRegistrationTests.java +++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/registration/ClientRegistrationTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2017 the original author or authors. + * Copyright 2002-2018 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -165,8 +165,9 @@ public class ClientRegistrationTests { .build(); } - @Test(expected = IllegalArgumentException.class) - public void buildWhenAuthorizationCodeGrantScopeIsNullThenThrowIllegalArgumentException() { + // gh-5494 + @Test + public void buildWhenAuthorizationCodeGrantScopeIsNullThenScopeNotRequired() { ClientRegistration.withRegistrationId(REGISTRATION_ID) .clientId(CLIENT_ID) .clientSecret(CLIENT_SECRET) @@ -260,6 +261,21 @@ public class ClientRegistrationTests { .build(); } + // gh-5494 + @Test + public void buildWhenAuthorizationCodeGrantScopeIsNullThenJwkSetUriNotRequired() { + ClientRegistration.withRegistrationId(REGISTRATION_ID) + .clientId(CLIENT_ID) + .clientSecret(CLIENT_SECRET) + .clientAuthenticationMethod(ClientAuthenticationMethod.BASIC) + .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE) + .redirectUriTemplate(REDIRECT_URI) + .authorizationUri(AUTHORIZATION_URI) + .tokenUri(TOKEN_URI) + .clientName(CLIENT_NAME) + .build(); + } + @Test public void buildWhenImplicitGrantAllAttributesProvidedThenAllAttributesAreSet() { ClientRegistration registration = ClientRegistration.withRegistrationId(REGISTRATION_ID) @@ -316,8 +332,9 @@ public class ClientRegistrationTests { .build(); } - @Test(expected = IllegalArgumentException.class) - public void buildWhenImplicitGrantScopeIsNullThenThrowIllegalArgumentException() { + // gh-5494 + @Test + public void buildWhenImplicitGrantScopeIsNullThenScopeNotRequired() { ClientRegistration.withRegistrationId(REGISTRATION_ID) .clientId(CLIENT_ID) .authorizationGrantType(AuthorizationGrantType.IMPLICIT)