diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurer.java index 7f5baeff5f..28e59020dc 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurer.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurer.java @@ -38,8 +38,8 @@ import org.springframework.security.oauth2.jwt.NimbusJwtDecoder; import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter; import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationProvider; import org.springframework.security.oauth2.server.resource.authentication.OAuth2IntrospectionAuthenticationProvider; -import org.springframework.security.oauth2.server.resource.introspection.NimbusOAuth2TokenIntrospectionClient; -import org.springframework.security.oauth2.server.resource.introspection.OAuth2TokenIntrospectionClient; +import org.springframework.security.oauth2.server.resource.introspection.NimbusOpaqueTokenIntrospector; +import org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector; import org.springframework.security.oauth2.server.resource.web.BearerTokenAuthenticationEntryPoint; import org.springframework.security.oauth2.server.resource.web.BearerTokenAuthenticationFilter; import org.springframework.security.oauth2.server.resource.web.BearerTokenResolver; @@ -339,7 +339,7 @@ public final class OAuth2ResourceServerConfigurer introspectionClient; + private Supplier introspector; OpaqueTokenConfigurer(ApplicationContext context) { this.context = context; @@ -354,8 +354,8 @@ public final class OAuth2ResourceServerConfigurer - new NimbusOAuth2TokenIntrospectionClient(this.introspectionUri, this.clientId, this.clientSecret); + this.introspector = () -> + new NimbusOpaqueTokenIntrospector(this.introspectionUri, this.clientId, this.clientSecret); return this; } @@ -364,22 +364,22 @@ public final class OAuth2ResourceServerConfigurer - new NimbusOAuth2TokenIntrospectionClient(this.introspectionUri, this.clientId, this.clientSecret); + this.introspector = () -> + new NimbusOpaqueTokenIntrospector(this.introspectionUri, this.clientId, this.clientSecret); return this; } - public OpaqueTokenConfigurer introspectionClient(OAuth2TokenIntrospectionClient introspectionClient) { - Assert.notNull(introspectionClient, "introspectionClient cannot be null"); - this.introspectionClient = () -> introspectionClient; + public OpaqueTokenConfigurer introspector(OpaqueTokenIntrospector introspector) { + Assert.notNull(introspector, "introspector cannot be null"); + this.introspector = () -> introspector; return this; } - OAuth2TokenIntrospectionClient getIntrospectionClient() { - if (this.introspectionClient != null) { - return this.introspectionClient.get(); + OpaqueTokenIntrospector getIntrospector() { + if (this.introspector != null) { + return this.introspector.get(); } - return this.context.getBean(OAuth2TokenIntrospectionClient.class); + return this.context.getBean(OpaqueTokenIntrospector.class); } AuthenticationManager getAuthenticationManager(H http) { @@ -387,9 +387,9 @@ public final class OAuth2ResourceServerConfigurer introspectionClient; + private Supplier introspector; /** * Configures the URI of the Introspection endpoint @@ -1830,8 +1830,8 @@ public class ServerHttpSecurity { public OpaqueTokenSpec introspectionUri(String introspectionUri) { Assert.hasText(introspectionUri, "introspectionUri cannot be empty"); this.introspectionUri = introspectionUri; - this.introspectionClient = () -> - new NimbusReactiveOAuth2TokenIntrospectionClient( + this.introspector = () -> + new NimbusReactiveOpaqueTokenIntrospector( this.introspectionUri, this.clientId, this.clientSecret); return this; } @@ -1847,15 +1847,15 @@ public class ServerHttpSecurity { Assert.notNull(clientSecret, "clientSecret cannot be null"); this.clientId = clientId; this.clientSecret = clientSecret; - this.introspectionClient = () -> - new NimbusReactiveOAuth2TokenIntrospectionClient( + this.introspector = () -> + new NimbusReactiveOpaqueTokenIntrospector( this.introspectionUri, this.clientId, this.clientSecret); return this; } - public OpaqueTokenSpec introspectionClient(ReactiveOAuth2TokenIntrospectionClient introspectionClient) { - Assert.notNull(introspectionClient, "introspectionClient cannot be null"); - this.introspectionClient = () -> introspectionClient; + public OpaqueTokenSpec introspector(ReactiveOpaqueTokenIntrospector introspector) { + Assert.notNull(introspector, "introspector cannot be null"); + this.introspector = () -> introspector; return this; } @@ -1868,14 +1868,14 @@ public class ServerHttpSecurity { } protected ReactiveAuthenticationManager getAuthenticationManager() { - return new OAuth2IntrospectionReactiveAuthenticationManager(getIntrospectionClient()); + return new OAuth2IntrospectionReactiveAuthenticationManager(getIntrospector()); } - protected ReactiveOAuth2TokenIntrospectionClient getIntrospectionClient() { - if (this.introspectionClient != null) { - return this.introspectionClient.get(); + protected ReactiveOpaqueTokenIntrospector getIntrospector() { + if (this.introspector != null) { + return this.introspector.get(); } - return getBean(ReactiveOAuth2TokenIntrospectionClient.class); + return getBean(ReactiveOpaqueTokenIntrospector.class); } protected void configure(ServerHttpSecurity http) { diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurerTests.java index ee1e10997d..aee7f9cf80 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurerTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurerTests.java @@ -92,8 +92,8 @@ import org.springframework.security.oauth2.jwt.NimbusJwtDecoder; import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter; import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken; import org.springframework.security.oauth2.server.resource.authentication.OAuth2IntrospectionAuthenticationToken; -import org.springframework.security.oauth2.server.resource.introspection.NimbusOAuth2TokenIntrospectionClient; -import org.springframework.security.oauth2.server.resource.introspection.OAuth2TokenIntrospectionClient; +import org.springframework.security.oauth2.server.resource.introspection.NimbusOpaqueTokenIntrospector; +import org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector; import org.springframework.security.oauth2.server.resource.web.BearerTokenAuthenticationEntryPoint; import org.springframework.security.oauth2.server.resource.web.BearerTokenResolver; import org.springframework.security.oauth2.server.resource.web.DefaultBearerTokenResolver; @@ -1182,38 +1182,38 @@ public class OAuth2ResourceServerConfigurerTests { OAuth2ResourceServerConfigurer.OpaqueTokenConfigurer opaqueTokenConfigurer = new OAuth2ResourceServerConfigurer(context).opaqueToken(); - OAuth2TokenIntrospectionClient client = mock(OAuth2TokenIntrospectionClient.class); + OpaqueTokenIntrospector client = mock(OpaqueTokenIntrospector.class); opaqueTokenConfigurer.introspectionUri(INTROSPECTION_URI); opaqueTokenConfigurer.introspectionClientCredentials(CLIENT_ID, CLIENT_SECRET); - opaqueTokenConfigurer.introspectionClient(client); + opaqueTokenConfigurer.introspector(client); - assertThat(opaqueTokenConfigurer.getIntrospectionClient()).isEqualTo(client); + assertThat(opaqueTokenConfigurer.getIntrospector()).isEqualTo(client); opaqueTokenConfigurer = new OAuth2ResourceServerConfigurer(context).opaqueToken(); - opaqueTokenConfigurer.introspectionClient(client); + opaqueTokenConfigurer.introspector(client); opaqueTokenConfigurer.introspectionUri(INTROSPECTION_URI); opaqueTokenConfigurer.introspectionClientCredentials(CLIENT_ID, CLIENT_SECRET); - assertThat(opaqueTokenConfigurer.getIntrospectionClient()) - .isInstanceOf(NimbusOAuth2TokenIntrospectionClient.class); + assertThat(opaqueTokenConfigurer.getIntrospector()) + .isInstanceOf(NimbusOpaqueTokenIntrospector.class); } @Test public void getIntrospectionClientWhenDslAndBeanWiredThenDslTakesPrecedence() { GenericApplicationContext context = new GenericApplicationContext(); - registerMockBean(context, "introspectionClientOne", OAuth2TokenIntrospectionClient.class); - registerMockBean(context, "introspectionClientTwo", OAuth2TokenIntrospectionClient.class); + registerMockBean(context, "introspectionClientOne", OpaqueTokenIntrospector.class); + registerMockBean(context, "introspectionClientTwo", OpaqueTokenIntrospector.class); OAuth2ResourceServerConfigurer.OpaqueTokenConfigurer opaqueToken = new OAuth2ResourceServerConfigurer(context).opaqueToken(); opaqueToken.introspectionUri(INTROSPECTION_URI); opaqueToken.introspectionClientCredentials(CLIENT_ID, CLIENT_SECRET); - assertThat(opaqueToken.getIntrospectionClient()).isNotNull(); + assertThat(opaqueToken.getIntrospector()).isNotNull(); } // -- In combination with other authentication providers @@ -1327,7 +1327,7 @@ public class OAuth2ResourceServerConfigurerTests { oauth2ResourceServer .opaqueToken() .authenticationManager(authenticationManager) - .introspectionClient(mock(OAuth2TokenIntrospectionClient.class)); + .introspector(mock(OpaqueTokenIntrospector.class)); assertThat(oauth2ResourceServer.getAuthenticationManager(http)).isSameAs(authenticationManager); verify(http, never()).authenticationProvider(any(AuthenticationProvider.class)); } @@ -2164,8 +2164,8 @@ public class OAuth2ResourceServerConfigurerTests { } @Bean - NimbusOAuth2TokenIntrospectionClient tokenIntrospectionClient() { - return new NimbusOAuth2TokenIntrospectionClient("https://example.org/introspect", this.rest); + NimbusOpaqueTokenIntrospector tokenIntrospectionClient() { + return new NimbusOpaqueTokenIntrospector("https://example.org/introspect", this.rest); } } diff --git a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/OAuth2IntrospectionAuthenticationProvider.java b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/OAuth2IntrospectionAuthenticationProvider.java index 19f78ad040..495a6b4943 100644 --- a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/OAuth2IntrospectionAuthenticationProvider.java +++ b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/OAuth2IntrospectionAuthenticationProvider.java @@ -34,7 +34,7 @@ import org.springframework.security.oauth2.core.OAuth2AuthenticationException; import org.springframework.security.oauth2.core.OAuth2Error; import org.springframework.security.oauth2.core.OAuth2TokenAttributes; import org.springframework.security.oauth2.server.resource.introspection.OAuth2IntrospectionException; -import org.springframework.security.oauth2.server.resource.introspection.OAuth2TokenIntrospectionClient; +import org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector; import org.springframework.security.oauth2.server.resource.BearerTokenAuthenticationToken; import org.springframework.security.oauth2.server.resource.BearerTokenError; import org.springframework.util.Assert; @@ -69,14 +69,14 @@ public final class OAuth2IntrospectionAuthenticationProvider implements Authenti private static final BearerTokenError DEFAULT_INVALID_TOKEN = invalidToken("An error occurred while attempting to introspect the token: Invalid token"); - private OAuth2TokenIntrospectionClient introspectionClient; + private OpaqueTokenIntrospector introspectionClient; /** * Creates a {@code OAuth2IntrospectionAuthenticationProvider} with the provided parameters * - * @param introspectionClient The {@link OAuth2TokenIntrospectionClient} to use + * @param introspectionClient The {@link OpaqueTokenIntrospector} to use */ - public OAuth2IntrospectionAuthenticationProvider(OAuth2TokenIntrospectionClient introspectionClient) { + public OAuth2IntrospectionAuthenticationProvider(OpaqueTokenIntrospector introspectionClient) { Assert.notNull(introspectionClient, "introspectionClient cannot be null"); this.introspectionClient = introspectionClient; } diff --git a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/OAuth2IntrospectionReactiveAuthenticationManager.java b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/OAuth2IntrospectionReactiveAuthenticationManager.java index 5b9b0f0354..3f76d53a29 100644 --- a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/OAuth2IntrospectionReactiveAuthenticationManager.java +++ b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/OAuth2IntrospectionReactiveAuthenticationManager.java @@ -35,7 +35,7 @@ import org.springframework.security.oauth2.core.OAuth2AccessToken; import org.springframework.security.oauth2.core.OAuth2AuthenticationException; import org.springframework.security.oauth2.core.OAuth2Error; import org.springframework.security.oauth2.server.resource.introspection.OAuth2IntrospectionException; -import org.springframework.security.oauth2.server.resource.introspection.ReactiveOAuth2TokenIntrospectionClient; +import org.springframework.security.oauth2.server.resource.introspection.ReactiveOpaqueTokenIntrospector; import org.springframework.security.oauth2.server.resource.BearerTokenAuthenticationToken; import org.springframework.security.oauth2.server.resource.BearerTokenError; import org.springframework.util.Assert; @@ -70,14 +70,14 @@ public class OAuth2IntrospectionReactiveAuthenticationManager implements Reactiv private static final BearerTokenError DEFAULT_INVALID_TOKEN = invalidToken("An error occurred while attempting to introspect the token: Invalid token"); - private ReactiveOAuth2TokenIntrospectionClient introspectionClient; + private ReactiveOpaqueTokenIntrospector introspectionClient; /** * Creates a {@code OAuth2IntrospectionReactiveAuthenticationManager} with the provided parameters * - * @param introspectionClient The {@link ReactiveOAuth2TokenIntrospectionClient} to use + * @param introspectionClient The {@link ReactiveOpaqueTokenIntrospector} to use */ - public OAuth2IntrospectionReactiveAuthenticationManager(ReactiveOAuth2TokenIntrospectionClient introspectionClient) { + public OAuth2IntrospectionReactiveAuthenticationManager(ReactiveOpaqueTokenIntrospector introspectionClient) { Assert.notNull(introspectionClient, "introspectionClient cannot be null"); this.introspectionClient = introspectionClient; } diff --git a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/introspection/NimbusOAuth2TokenIntrospectionClient.java b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/introspection/NimbusOpaqueTokenIntrospector.java similarity index 94% rename from oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/introspection/NimbusOAuth2TokenIntrospectionClient.java rename to oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/introspection/NimbusOpaqueTokenIntrospector.java index f7ad7ee3b8..3788331c4c 100644 --- a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/introspection/NimbusOAuth2TokenIntrospectionClient.java +++ b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/introspection/NimbusOpaqueTokenIntrospector.java @@ -52,13 +52,15 @@ import static org.springframework.security.oauth2.server.resource.introspection. import static org.springframework.security.oauth2.server.resource.introspection.OAuth2IntrospectionClaimNames.SCOPE; /** - * A Nimbus implementation of {@link OAuth2TokenIntrospectionClient}. + * A Nimbus implementation of {@link OpaqueTokenIntrospector} that verifies and introspects + * a token using the configured + * OAuth 2.0 Introspection Endpoint. * * @author Josh Cummings * @author MD Sayem Ahmed * @since 5.2 */ -public class NimbusOAuth2TokenIntrospectionClient implements OAuth2TokenIntrospectionClient { +public class NimbusOpaqueTokenIntrospector implements OpaqueTokenIntrospector { private Converter> requestEntityConverter; private RestOperations restOperations; @@ -69,7 +71,7 @@ public class NimbusOAuth2TokenIntrospectionClient implements OAuth2TokenIntrospe * @param clientId The client id authorized to introspect * @param clientSecret The client's secret */ - public NimbusOAuth2TokenIntrospectionClient(String introspectionUri, String clientId, String clientSecret) { + public NimbusOpaqueTokenIntrospector(String introspectionUri, String clientId, String clientSecret) { Assert.notNull(introspectionUri, "introspectionUri cannot be null"); Assert.notNull(clientId, "clientId cannot be null"); Assert.notNull(clientSecret, "clientSecret cannot be null"); @@ -89,7 +91,7 @@ public class NimbusOAuth2TokenIntrospectionClient implements OAuth2TokenIntrospe * @param introspectionUri The introspection endpoint uri * @param restOperations The client for performing the introspection request */ - public NimbusOAuth2TokenIntrospectionClient(String introspectionUri, RestOperations restOperations) { + public NimbusOpaqueTokenIntrospector(String introspectionUri, RestOperations restOperations) { Assert.notNull(introspectionUri, "introspectionUri cannot be null"); Assert.notNull(restOperations, "restOperations cannot be null"); diff --git a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/introspection/NimbusReactiveOAuth2TokenIntrospectionClient.java b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/introspection/NimbusReactiveOpaqueTokenIntrospector.java similarity index 93% rename from oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/introspection/NimbusReactiveOAuth2TokenIntrospectionClient.java rename to oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/introspection/NimbusReactiveOpaqueTokenIntrospector.java index 04ba6b9aba..01e5b354c4 100644 --- a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/introspection/NimbusReactiveOAuth2TokenIntrospectionClient.java +++ b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/introspection/NimbusReactiveOpaqueTokenIntrospector.java @@ -46,12 +46,14 @@ import static org.springframework.security.oauth2.server.resource.introspection. import static org.springframework.security.oauth2.server.resource.introspection.OAuth2IntrospectionClaimNames.SCOPE; /** - * A Nimbus implementation of {@link ReactiveOAuth2TokenIntrospectionClient} + * A Nimbus implementation of {@link ReactiveOpaqueTokenIntrospector} that verifies and introspects + * a token using the configured + * OAuth 2.0 Introspection Endpoint. * * @author Josh Cummings * @since 5.2 */ -public class NimbusReactiveOAuth2TokenIntrospectionClient implements ReactiveOAuth2TokenIntrospectionClient { +public class NimbusReactiveOpaqueTokenIntrospector implements ReactiveOpaqueTokenIntrospector { private URI introspectionUri; private WebClient webClient; @@ -62,7 +64,7 @@ public class NimbusReactiveOAuth2TokenIntrospectionClient implements ReactiveOAu * @param clientId The client id authorized to introspect * @param clientSecret The client secret for the authorized client */ - public NimbusReactiveOAuth2TokenIntrospectionClient(String introspectionUri, String clientId, String clientSecret) { + public NimbusReactiveOpaqueTokenIntrospector(String introspectionUri, String clientId, String clientSecret) { Assert.hasText(introspectionUri, "introspectionUri cannot be empty"); Assert.hasText(clientId, "clientId cannot be empty"); Assert.notNull(clientSecret, "clientSecret cannot be null"); @@ -79,7 +81,7 @@ public class NimbusReactiveOAuth2TokenIntrospectionClient implements ReactiveOAu * @param introspectionUri The introspection endpoint uri * @param webClient The client for performing the introspection request */ - public NimbusReactiveOAuth2TokenIntrospectionClient(String introspectionUri, WebClient webClient) { + public NimbusReactiveOpaqueTokenIntrospector(String introspectionUri, WebClient webClient) { Assert.hasText(introspectionUri, "introspectionUri cannot be null"); Assert.notNull(webClient, "webClient cannot be null"); diff --git a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/introspection/OAuth2TokenIntrospectionClient.java b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/introspection/OpaqueTokenIntrospector.java similarity index 58% rename from oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/introspection/OAuth2TokenIntrospectionClient.java rename to oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/introspection/OpaqueTokenIntrospector.java index 6bf285a242..6b17264ace 100644 --- a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/introspection/OAuth2TokenIntrospectionClient.java +++ b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/introspection/OpaqueTokenIntrospector.java @@ -19,25 +19,27 @@ package org.springframework.security.oauth2.server.resource.introspection; import java.util.Map; /** - * A client to an - * OAuth 2.0 Introspection Endpoint. + * A contract for introspecting and verifying an OAuth 2.0 token. * - * Basically, this client is handy when a resource server authenticates opaque OAuth 2.0 tokens. - * It's also nice when a resource server simply can't decode tokens - whether the tokens are opaque or not - - * and would prefer to delegate that task to an authorization server. + * A typical implementation of this interface will make a request to an + * OAuth 2.0 Introspection Endpoint + * to verify the token and return its attributes, indicating a successful verification. + * + * Another sensible implementation of this interface would be to query a backing store + * of tokens, for example a distributed cache. * * @author Josh Cummings * @since 5.2 */ -public interface OAuth2TokenIntrospectionClient { +public interface OpaqueTokenIntrospector { /** - * Request that the configured - * OAuth 2.0 Introspection Endpoint - * introspect the given token and return its associated attributes. + * Introspect and verify the given token, returning its attributes. + * + * Returning a {@link Map} is indicative that the token is valid. * * @param token the token to introspect - * @return the token's attributes, including whether or not the token is active + * @return the token's attributes */ Map introspect(String token); } diff --git a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/introspection/ReactiveOAuth2TokenIntrospectionClient.java b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/introspection/ReactiveOpaqueTokenIntrospector.java similarity index 59% rename from oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/introspection/ReactiveOAuth2TokenIntrospectionClient.java rename to oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/introspection/ReactiveOpaqueTokenIntrospector.java index 09919e0d8a..56793d284f 100644 --- a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/introspection/ReactiveOAuth2TokenIntrospectionClient.java +++ b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/introspection/ReactiveOpaqueTokenIntrospector.java @@ -21,25 +21,27 @@ import java.util.Map; import reactor.core.publisher.Mono; /** - * A reactive client to an - * OAuth 2.0 Introspection Endpoint. + * A contract for introspecting and verifying an OAuth 2.0 token. * - * Basically, this client is handy when a resource server authenticates opaque OAuth 2.0 tokens. - * It's also nice when a resource server simply can't decode tokens - whether the tokens are opaque or not - - * and would prefer to delegate that task to an authorization server. + * A typical implementation of this interface will make a request to an + * OAuth 2.0 Introspection Endpoint + * to verify the token and return its attributes, indicating a successful verification. + * + * Another sensible implementation of this interface would be to query a backing store + * of tokens, for example a distributed cache. * * @author Josh Cummings * @since 5.2 */ -public interface ReactiveOAuth2TokenIntrospectionClient { +public interface ReactiveOpaqueTokenIntrospector { /** - * Request that the configured - * OAuth 2.0 Introspection Endpoint - * introspect the given token and return its associated attributes. + * Introspect and verify the given token, returning its attributes. + * + * Returning a {@link Map} is indicative that the token is valid. * * @param token the token to introspect - * @return the token's attributes, including whether or not the token is active + * @return the token's attributes */ Mono> introspect(String token); } diff --git a/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/authentication/OAuth2IntrospectionAuthenticationProviderTests.java b/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/authentication/OAuth2IntrospectionAuthenticationProviderTests.java index 74c18972e8..8de0c7488f 100644 --- a/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/authentication/OAuth2IntrospectionAuthenticationProviderTests.java +++ b/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/authentication/OAuth2IntrospectionAuthenticationProviderTests.java @@ -27,7 +27,7 @@ import org.springframework.security.oauth2.core.OAuth2AuthenticationException; import org.springframework.security.oauth2.core.OAuth2TokenAttributes; import org.springframework.security.oauth2.server.resource.introspection.OAuth2IntrospectionClaimNames; import org.springframework.security.oauth2.server.resource.introspection.OAuth2IntrospectionException; -import org.springframework.security.oauth2.server.resource.introspection.OAuth2TokenIntrospectionClient; +import org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector; import org.springframework.security.oauth2.server.resource.BearerTokenAuthenticationToken; import static org.assertj.core.api.Assertions.assertThat; @@ -56,7 +56,7 @@ public class OAuth2IntrospectionAuthenticationProviderTests { public void authenticateWhenActiveTokenThenOk() throws Exception { Map claims = active(); claims.put("extension_field", "twenty-seven"); - OAuth2TokenIntrospectionClient introspectionClient = mock(OAuth2TokenIntrospectionClient.class); + OpaqueTokenIntrospector introspectionClient = mock(OpaqueTokenIntrospector.class); when(introspectionClient.introspect(any())).thenReturn(claims); OAuth2IntrospectionAuthenticationProvider provider = new OAuth2IntrospectionAuthenticationProvider(introspectionClient); @@ -88,7 +88,7 @@ public class OAuth2IntrospectionAuthenticationProviderTests { public void authenticateWhenMissingScopeAttributeThenNoAuthorities() { Map claims = active(); claims.remove(SCOPE); - OAuth2TokenIntrospectionClient introspectionClient = mock(OAuth2TokenIntrospectionClient.class); + OpaqueTokenIntrospector introspectionClient = mock(OpaqueTokenIntrospector.class); when(introspectionClient.introspect(any())).thenReturn(claims); OAuth2IntrospectionAuthenticationProvider provider = new OAuth2IntrospectionAuthenticationProvider(introspectionClient); @@ -107,7 +107,7 @@ public class OAuth2IntrospectionAuthenticationProviderTests { @Test public void authenticateWhenIntrospectionEndpointThrowsExceptionThenInvalidToken() { - OAuth2TokenIntrospectionClient introspectionClient = mock(OAuth2TokenIntrospectionClient.class); + OpaqueTokenIntrospector introspectionClient = mock(OpaqueTokenIntrospector.class); when(introspectionClient.introspect(any())).thenThrow(new OAuth2IntrospectionException("with \"invalid\" chars")); OAuth2IntrospectionAuthenticationProvider provider = new OAuth2IntrospectionAuthenticationProvider(introspectionClient); diff --git a/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/authentication/OAuth2IntrospectionReactiveAuthenticationManagerTests.java b/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/authentication/OAuth2IntrospectionReactiveAuthenticationManagerTests.java index 5a8083085b..edc752dc57 100644 --- a/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/authentication/OAuth2IntrospectionReactiveAuthenticationManagerTests.java +++ b/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/authentication/OAuth2IntrospectionReactiveAuthenticationManagerTests.java @@ -29,7 +29,7 @@ import org.springframework.security.core.Authentication; import org.springframework.security.oauth2.core.OAuth2AuthenticationException; import org.springframework.security.oauth2.server.resource.introspection.OAuth2IntrospectionClaimNames; import org.springframework.security.oauth2.server.resource.introspection.OAuth2IntrospectionException; -import org.springframework.security.oauth2.server.resource.introspection.ReactiveOAuth2TokenIntrospectionClient; +import org.springframework.security.oauth2.server.resource.introspection.ReactiveOpaqueTokenIntrospector; import org.springframework.security.oauth2.server.resource.BearerTokenAuthenticationToken; import static org.assertj.core.api.Assertions.assertThat; @@ -55,7 +55,7 @@ public class OAuth2IntrospectionReactiveAuthenticationManagerTests { public void authenticateWhenActiveTokenThenOk() throws Exception { Map claims = active(); claims.put("extension_field", "twenty-seven"); - ReactiveOAuth2TokenIntrospectionClient introspectionClient = mock(ReactiveOAuth2TokenIntrospectionClient.class); + ReactiveOpaqueTokenIntrospector introspectionClient = mock(ReactiveOpaqueTokenIntrospector.class); when(introspectionClient.introspect(any())).thenReturn(Mono.just(claims)); OAuth2IntrospectionReactiveAuthenticationManager provider = new OAuth2IntrospectionReactiveAuthenticationManager(introspectionClient); @@ -87,7 +87,7 @@ public class OAuth2IntrospectionReactiveAuthenticationManagerTests { public void authenticateWhenMissingScopeAttributeThenNoAuthorities() { Map claims = active(); claims.remove(SCOPE); - ReactiveOAuth2TokenIntrospectionClient introspectionClient = mock(ReactiveOAuth2TokenIntrospectionClient.class); + ReactiveOpaqueTokenIntrospector introspectionClient = mock(ReactiveOpaqueTokenIntrospector.class); when(introspectionClient.introspect(any())).thenReturn(Mono.just(claims)); OAuth2IntrospectionReactiveAuthenticationManager provider = new OAuth2IntrospectionReactiveAuthenticationManager(introspectionClient); @@ -106,7 +106,7 @@ public class OAuth2IntrospectionReactiveAuthenticationManagerTests { @Test public void authenticateWhenIntrospectionEndpointThrowsExceptionThenInvalidToken() { - ReactiveOAuth2TokenIntrospectionClient introspectionClient = mock(ReactiveOAuth2TokenIntrospectionClient.class); + ReactiveOpaqueTokenIntrospector introspectionClient = mock(ReactiveOpaqueTokenIntrospector.class); when(introspectionClient.introspect(any())) .thenReturn(Mono.error(new OAuth2IntrospectionException("with \"invalid\" chars"))); OAuth2IntrospectionReactiveAuthenticationManager provider = diff --git a/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/introspection/NimbusOAuth2TokenIntrospectionClientTests.java b/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/introspection/NimbusOpaqueTokenIntrospectorTests.java similarity index 84% rename from oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/introspection/NimbusOAuth2TokenIntrospectionClientTests.java rename to oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/introspection/NimbusOpaqueTokenIntrospectorTests.java index 98daf6625a..f4464a75ef 100644 --- a/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/introspection/NimbusOAuth2TokenIntrospectionClientTests.java +++ b/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/introspection/NimbusOpaqueTokenIntrospectorTests.java @@ -38,10 +38,6 @@ import org.springframework.http.HttpStatus; import org.springframework.http.MediaType; import org.springframework.http.RequestEntity; import org.springframework.http.ResponseEntity; -import org.springframework.security.oauth2.server.resource.introspection.NimbusOAuth2TokenIntrospectionClient; -import org.springframework.security.oauth2.server.resource.introspection.OAuth2IntrospectionClaimNames; -import org.springframework.security.oauth2.server.resource.introspection.OAuth2IntrospectionException; -import org.springframework.security.oauth2.server.resource.introspection.OAuth2TokenIntrospectionClient; import org.springframework.web.client.RestOperations; import static org.assertj.core.api.Assertions.assertThat; @@ -61,9 +57,9 @@ import static org.springframework.security.oauth2.server.resource.introspection. import static org.springframework.security.oauth2.server.resource.introspection.OAuth2IntrospectionClaimNames.USERNAME; /** - * Tests for {@link NimbusOAuth2TokenIntrospectionClient} + * Tests for {@link NimbusOpaqueTokenIntrospector} */ -public class NimbusOAuth2TokenIntrospectionClientTests { +public class NimbusOpaqueTokenIntrospectorTests { private static final String INTROSPECTION_URL = "https://server.example.com"; private static final String CLIENT_ID = "client"; @@ -114,8 +110,8 @@ public class NimbusOAuth2TokenIntrospectionClientTests { server.setDispatcher(requiresAuth(CLIENT_ID, CLIENT_SECRET, ACTIVE_RESPONSE)); String introspectUri = server.url("/introspect").toString(); - OAuth2TokenIntrospectionClient introspectionClient = - new NimbusOAuth2TokenIntrospectionClient(introspectUri, CLIENT_ID, CLIENT_SECRET); + OpaqueTokenIntrospector introspectionClient = + new NimbusOpaqueTokenIntrospector(introspectUri, CLIENT_ID, CLIENT_SECRET); Map attributes = introspectionClient.introspect("token"); assertThat(attributes) @@ -138,8 +134,8 @@ public class NimbusOAuth2TokenIntrospectionClientTests { server.setDispatcher(requiresAuth(CLIENT_ID, CLIENT_SECRET, ACTIVE_RESPONSE)); String introspectUri = server.url("/introspect").toString(); - OAuth2TokenIntrospectionClient introspectionClient = - new NimbusOAuth2TokenIntrospectionClient(introspectUri, CLIENT_ID, "wrong"); + OpaqueTokenIntrospector introspectionClient = + new NimbusOpaqueTokenIntrospector(introspectUri, CLIENT_ID, "wrong"); assertThatCode(() -> introspectionClient.introspect("token")) .isInstanceOf(OAuth2IntrospectionException.class); @@ -149,7 +145,7 @@ public class NimbusOAuth2TokenIntrospectionClientTests { @Test public void introspectWhenInactiveTokenThenInvalidToken() { RestOperations restOperations = mock(RestOperations.class); - OAuth2TokenIntrospectionClient introspectionClient = new NimbusOAuth2TokenIntrospectionClient(INTROSPECTION_URL, restOperations); + OpaqueTokenIntrospector introspectionClient = new NimbusOpaqueTokenIntrospector(INTROSPECTION_URL, restOperations); when(restOperations.exchange(any(RequestEntity.class), eq(String.class))) .thenReturn(INACTIVE); @@ -167,8 +163,8 @@ public class NimbusOAuth2TokenIntrospectionClientTests { introspectedValues.put(NOT_BEFORE, 29348723984L); RestOperations restOperations = mock(RestOperations.class); - OAuth2TokenIntrospectionClient introspectionClient = - new NimbusOAuth2TokenIntrospectionClient(INTROSPECTION_URL, restOperations); + OpaqueTokenIntrospector introspectionClient = + new NimbusOpaqueTokenIntrospector(INTROSPECTION_URL, restOperations); when(restOperations.exchange(any(RequestEntity.class), eq(String.class))) .thenReturn(response(new JSONObject(introspectedValues).toJSONString())); @@ -185,8 +181,8 @@ public class NimbusOAuth2TokenIntrospectionClientTests { @Test public void introspectWhenIntrospectionEndpointThrowsExceptionThenInvalidToken() { RestOperations restOperations = mock(RestOperations.class); - OAuth2TokenIntrospectionClient introspectionClient = - new NimbusOAuth2TokenIntrospectionClient(INTROSPECTION_URL, restOperations); + OpaqueTokenIntrospector introspectionClient = + new NimbusOpaqueTokenIntrospector(INTROSPECTION_URL, restOperations); when(restOperations.exchange(any(RequestEntity.class), eq(String.class))) .thenThrow(new IllegalStateException("server was unresponsive")); @@ -200,8 +196,8 @@ public class NimbusOAuth2TokenIntrospectionClientTests { @Test public void introspectWhenIntrospectionEndpointReturnsMalformedResponseThenInvalidToken() { RestOperations restOperations = mock(RestOperations.class); - OAuth2TokenIntrospectionClient introspectionClient = - new NimbusOAuth2TokenIntrospectionClient(INTROSPECTION_URL, restOperations); + OpaqueTokenIntrospector introspectionClient = + new NimbusOpaqueTokenIntrospector(INTROSPECTION_URL, restOperations); when(restOperations.exchange(any(RequestEntity.class), eq(String.class))) .thenReturn(response("malformed")); @@ -212,8 +208,8 @@ public class NimbusOAuth2TokenIntrospectionClientTests { @Test public void introspectWhenIntrospectionTokenReturnsInvalidResponseThenInvalidToken() { RestOperations restOperations = mock(RestOperations.class); - OAuth2TokenIntrospectionClient introspectionClient = - new NimbusOAuth2TokenIntrospectionClient(INTROSPECTION_URL, restOperations); + OpaqueTokenIntrospector introspectionClient = + new NimbusOpaqueTokenIntrospector(INTROSPECTION_URL, restOperations); when(restOperations.exchange(any(RequestEntity.class), eq(String.class))) .thenReturn(INVALID); @@ -224,8 +220,8 @@ public class NimbusOAuth2TokenIntrospectionClientTests { @Test public void introspectWhenIntrospectionTokenReturnsMalformedIssuerResponseThenInvalidToken() { RestOperations restOperations = mock(RestOperations.class); - OAuth2TokenIntrospectionClient introspectionClient = - new NimbusOAuth2TokenIntrospectionClient(INTROSPECTION_URL, restOperations); + OpaqueTokenIntrospector introspectionClient = + new NimbusOpaqueTokenIntrospector(INTROSPECTION_URL, restOperations); when(restOperations.exchange(any(RequestEntity.class), eq(String.class))) .thenReturn(MALFORMED_ISSUER); @@ -235,25 +231,25 @@ public class NimbusOAuth2TokenIntrospectionClientTests { @Test public void constructorWhenIntrospectionUriIsNullThenIllegalArgumentException() { - assertThatCode(() -> new NimbusOAuth2TokenIntrospectionClient(null, CLIENT_ID, CLIENT_SECRET)) + assertThatCode(() -> new NimbusOpaqueTokenIntrospector(null, CLIENT_ID, CLIENT_SECRET)) .isInstanceOf(IllegalArgumentException.class); } @Test public void constructorWhenClientIdIsNullThenIllegalArgumentException() { - assertThatCode(() -> new NimbusOAuth2TokenIntrospectionClient(INTROSPECTION_URL, null, CLIENT_SECRET)) + assertThatCode(() -> new NimbusOpaqueTokenIntrospector(INTROSPECTION_URL, null, CLIENT_SECRET)) .isInstanceOf(IllegalArgumentException.class); } @Test public void constructorWhenClientSecretIsNullThenIllegalArgumentException() { - assertThatCode(() -> new NimbusOAuth2TokenIntrospectionClient(INTROSPECTION_URL, CLIENT_ID, null)) + assertThatCode(() -> new NimbusOpaqueTokenIntrospector(INTROSPECTION_URL, CLIENT_ID, null)) .isInstanceOf(IllegalArgumentException.class); } @Test public void constructorWhenRestOperationsIsNullThenIllegalArgumentException() { - assertThatCode(() -> new NimbusOAuth2TokenIntrospectionClient(INTROSPECTION_URL, null)) + assertThatCode(() -> new NimbusOpaqueTokenIntrospector(INTROSPECTION_URL, null)) .isInstanceOf(IllegalArgumentException.class); } @@ -261,7 +257,7 @@ public class NimbusOAuth2TokenIntrospectionClientTests { public void setRequestEntityConverterWhenConverterIsNullThenExceptionIsThrown() { RestOperations restOperations = mock(RestOperations.class); - NimbusOAuth2TokenIntrospectionClient introspectionClient = new NimbusOAuth2TokenIntrospectionClient( + NimbusOpaqueTokenIntrospector introspectionClient = new NimbusOpaqueTokenIntrospector( INTROSPECTION_URL, restOperations ); @@ -278,7 +274,7 @@ public class NimbusOAuth2TokenIntrospectionClientTests { String tokenToIntrospect = "some token"; when(requestEntityConverter.convert(tokenToIntrospect)).thenReturn(requestEntity); when(restOperations.exchange(requestEntity, String.class)).thenReturn(ACTIVE); - NimbusOAuth2TokenIntrospectionClient introspectionClient = new NimbusOAuth2TokenIntrospectionClient( + NimbusOpaqueTokenIntrospector introspectionClient = new NimbusOpaqueTokenIntrospector( INTROSPECTION_URL, restOperations ); introspectionClient.setRequestEntityConverter(requestEntityConverter); diff --git a/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/introspection/NimbusReactiveOAuth2TokenIntrospectionClientTests.java b/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/introspection/NimbusReactiveOpaqueTokenIntrospectorTests.java similarity index 83% rename from oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/introspection/NimbusReactiveOAuth2TokenIntrospectionClientTests.java rename to oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/introspection/NimbusReactiveOpaqueTokenIntrospectorTests.java index d760a925f8..54ccbe9c55 100644 --- a/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/introspection/NimbusReactiveOAuth2TokenIntrospectionClientTests.java +++ b/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/introspection/NimbusReactiveOpaqueTokenIntrospectorTests.java @@ -36,9 +36,6 @@ import reactor.core.publisher.Mono; import org.springframework.http.HttpHeaders; import org.springframework.http.HttpStatus; import org.springframework.http.MediaType; -import org.springframework.security.oauth2.server.resource.introspection.NimbusReactiveOAuth2TokenIntrospectionClient; -import org.springframework.security.oauth2.server.resource.introspection.OAuth2IntrospectionClaimNames; -import org.springframework.security.oauth2.server.resource.introspection.OAuth2IntrospectionException; import org.springframework.web.reactive.function.client.ClientResponse; import org.springframework.web.reactive.function.client.WebClient; @@ -56,9 +53,9 @@ import static org.springframework.security.oauth2.server.resource.introspection. import static org.springframework.security.oauth2.server.resource.introspection.OAuth2IntrospectionClaimNames.USERNAME; /** - * Tests for {@link NimbusReactiveOAuth2TokenIntrospectionClient} + * Tests for {@link NimbusReactiveOpaqueTokenIntrospector} */ -public class NimbusReactiveOAuth2TokenIntrospectionClientTests { +public class NimbusReactiveOpaqueTokenIntrospectorTests { private static final String INTROSPECTION_URL = "https://server.example.com"; private static final String CLIENT_ID = "client"; private static final String CLIENT_SECRET = "secret"; @@ -103,8 +100,8 @@ public class NimbusReactiveOAuth2TokenIntrospectionClientTests { server.setDispatcher(requiresAuth(CLIENT_ID, CLIENT_SECRET, ACTIVE_RESPONSE)); String introspectUri = server.url("/introspect").toString(); - NimbusReactiveOAuth2TokenIntrospectionClient introspectionClient = - new NimbusReactiveOAuth2TokenIntrospectionClient(introspectUri, CLIENT_ID, CLIENT_SECRET); + NimbusReactiveOpaqueTokenIntrospector introspectionClient = + new NimbusReactiveOpaqueTokenIntrospector(introspectUri, CLIENT_ID, CLIENT_SECRET); Map attributes = introspectionClient.introspect("token").block(); assertThat(attributes) @@ -127,8 +124,8 @@ public class NimbusReactiveOAuth2TokenIntrospectionClientTests { server.setDispatcher(requiresAuth(CLIENT_ID, CLIENT_SECRET, ACTIVE_RESPONSE)); String introspectUri = server.url("/introspect").toString(); - NimbusReactiveOAuth2TokenIntrospectionClient introspectionClient = - new NimbusReactiveOAuth2TokenIntrospectionClient(introspectUri, CLIENT_ID, "wrong"); + NimbusReactiveOpaqueTokenIntrospector introspectionClient = + new NimbusReactiveOpaqueTokenIntrospector(introspectUri, CLIENT_ID, "wrong"); assertThatCode(() -> introspectionClient.introspect("token").block()) .isInstanceOf(OAuth2IntrospectionException.class); @@ -138,8 +135,8 @@ public class NimbusReactiveOAuth2TokenIntrospectionClientTests { @Test public void authenticateWhenInactiveTokenThenInvalidToken() { WebClient webClient = mockResponse(INACTIVE_RESPONSE); - NimbusReactiveOAuth2TokenIntrospectionClient introspectionClient = - new NimbusReactiveOAuth2TokenIntrospectionClient(INTROSPECTION_URL, webClient); + NimbusReactiveOpaqueTokenIntrospector introspectionClient = + new NimbusReactiveOpaqueTokenIntrospector(INTROSPECTION_URL, webClient); assertThatCode(() -> introspectionClient.introspect("token").block()) .isInstanceOf(OAuth2IntrospectionException.class) @@ -155,8 +152,8 @@ public class NimbusReactiveOAuth2TokenIntrospectionClientTests { introspectedValues.put(NOT_BEFORE, 29348723984L); WebClient webClient = mockResponse(new JSONObject(introspectedValues).toJSONString()); - NimbusReactiveOAuth2TokenIntrospectionClient introspectionClient = - new NimbusReactiveOAuth2TokenIntrospectionClient(INTROSPECTION_URL, webClient); + NimbusReactiveOpaqueTokenIntrospector introspectionClient = + new NimbusReactiveOpaqueTokenIntrospector(INTROSPECTION_URL, webClient); Map attributes = introspectionClient.introspect("token").block(); assertThat(attributes) @@ -171,8 +168,8 @@ public class NimbusReactiveOAuth2TokenIntrospectionClientTests { @Test public void authenticateWhenIntrospectionEndpointThrowsExceptionThenInvalidToken() { WebClient webClient = mockResponse(new IllegalStateException("server was unresponsive")); - NimbusReactiveOAuth2TokenIntrospectionClient introspectionClient = - new NimbusReactiveOAuth2TokenIntrospectionClient(INTROSPECTION_URL, webClient); + NimbusReactiveOpaqueTokenIntrospector introspectionClient = + new NimbusReactiveOpaqueTokenIntrospector(INTROSPECTION_URL, webClient); assertThatCode(() -> introspectionClient.introspect("token").block()) .isInstanceOf(OAuth2IntrospectionException.class) @@ -183,8 +180,8 @@ public class NimbusReactiveOAuth2TokenIntrospectionClientTests { @Test public void authenticateWhenIntrospectionEndpointReturnsMalformedResponseThenInvalidToken() { WebClient webClient = mockResponse("malformed"); - NimbusReactiveOAuth2TokenIntrospectionClient introspectionClient = - new NimbusReactiveOAuth2TokenIntrospectionClient(INTROSPECTION_URL, webClient); + NimbusReactiveOpaqueTokenIntrospector introspectionClient = + new NimbusReactiveOpaqueTokenIntrospector(INTROSPECTION_URL, webClient); assertThatCode(() -> introspectionClient.introspect("token").block()) .isInstanceOf(OAuth2IntrospectionException.class); @@ -193,8 +190,8 @@ public class NimbusReactiveOAuth2TokenIntrospectionClientTests { @Test public void authenticateWhenIntrospectionTokenReturnsInvalidResponseThenInvalidToken() { WebClient webClient = mockResponse(INVALID_RESPONSE); - NimbusReactiveOAuth2TokenIntrospectionClient introspectionClient = - new NimbusReactiveOAuth2TokenIntrospectionClient(INTROSPECTION_URL, webClient); + NimbusReactiveOpaqueTokenIntrospector introspectionClient = + new NimbusReactiveOpaqueTokenIntrospector(INTROSPECTION_URL, webClient); assertThatCode(() -> introspectionClient.introspect("token").block()) .isInstanceOf(OAuth2IntrospectionException.class); @@ -203,8 +200,8 @@ public class NimbusReactiveOAuth2TokenIntrospectionClientTests { @Test public void authenticateWhenIntrospectionTokenReturnsMalformedIssuerResponseThenInvalidToken() { WebClient webClient = mockResponse(MALFORMED_ISSUER_RESPONSE); - NimbusReactiveOAuth2TokenIntrospectionClient introspectionClient = - new NimbusReactiveOAuth2TokenIntrospectionClient(INTROSPECTION_URL, webClient); + NimbusReactiveOpaqueTokenIntrospector introspectionClient = + new NimbusReactiveOpaqueTokenIntrospector(INTROSPECTION_URL, webClient); assertThatCode(() -> introspectionClient.introspect("token").block()) .isInstanceOf(OAuth2IntrospectionException.class); @@ -212,25 +209,25 @@ public class NimbusReactiveOAuth2TokenIntrospectionClientTests { @Test public void constructorWhenIntrospectionUriIsEmptyThenIllegalArgumentException() { - assertThatCode(() -> new NimbusReactiveOAuth2TokenIntrospectionClient("", CLIENT_ID, CLIENT_SECRET)) + assertThatCode(() -> new NimbusReactiveOpaqueTokenIntrospector("", CLIENT_ID, CLIENT_SECRET)) .isInstanceOf(IllegalArgumentException.class); } @Test public void constructorWhenClientIdIsEmptyThenIllegalArgumentException() { - assertThatCode(() -> new NimbusReactiveOAuth2TokenIntrospectionClient(INTROSPECTION_URL, "", CLIENT_SECRET)) + assertThatCode(() -> new NimbusReactiveOpaqueTokenIntrospector(INTROSPECTION_URL, "", CLIENT_SECRET)) .isInstanceOf(IllegalArgumentException.class); } @Test public void constructorWhenClientSecretIsNullThenIllegalArgumentException() { - assertThatCode(() -> new NimbusReactiveOAuth2TokenIntrospectionClient(INTROSPECTION_URL, CLIENT_ID, null)) + assertThatCode(() -> new NimbusReactiveOpaqueTokenIntrospector(INTROSPECTION_URL, CLIENT_ID, null)) .isInstanceOf(IllegalArgumentException.class); } @Test public void constructorWhenRestOperationsIsNullThenIllegalArgumentException() { - assertThatCode(() -> new NimbusReactiveOAuth2TokenIntrospectionClient(INTROSPECTION_URL, null)) + assertThatCode(() -> new NimbusReactiveOpaqueTokenIntrospector(INTROSPECTION_URL, null)) .isInstanceOf(IllegalArgumentException.class); } diff --git a/samples/boot/oauth2resourceserver-multitenancy/src/main/java/sample/OAuth2ResourceServerSecurityConfiguration.java b/samples/boot/oauth2resourceserver-multitenancy/src/main/java/sample/OAuth2ResourceServerSecurityConfiguration.java index 1c65ea247f..9bfd6e639e 100644 --- a/samples/boot/oauth2resourceserver-multitenancy/src/main/java/sample/OAuth2ResourceServerSecurityConfiguration.java +++ b/samples/boot/oauth2resourceserver-multitenancy/src/main/java/sample/OAuth2ResourceServerSecurityConfiguration.java @@ -30,8 +30,8 @@ import org.springframework.security.oauth2.jwt.JwtDecoder; import org.springframework.security.oauth2.jwt.NimbusJwtDecoder; import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationProvider; import org.springframework.security.oauth2.server.resource.authentication.OAuth2IntrospectionAuthenticationProvider; -import org.springframework.security.oauth2.server.resource.introspection.NimbusOAuth2TokenIntrospectionClient; -import org.springframework.security.oauth2.server.resource.introspection.OAuth2TokenIntrospectionClient; +import org.springframework.security.oauth2.server.resource.introspection.NimbusOpaqueTokenIntrospector; +import org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector; import static org.springframework.security.web.authentication.MultiTenantAuthenticationManagerResolver.resolveFromPath; @@ -77,8 +77,8 @@ public class OAuth2ResourceServerSecurityConfiguration extends WebSecurityConfig } AuthenticationManager opaque() { - OAuth2TokenIntrospectionClient introspectionClient = - new NimbusOAuth2TokenIntrospectionClient(this.introspectionUri, "client", "secret"); + OpaqueTokenIntrospector introspectionClient = + new NimbusOpaqueTokenIntrospector(this.introspectionUri, "client", "secret"); return new OAuth2IntrospectionAuthenticationProvider(introspectionClient)::authenticate; } }