Remove deprecated NimbusAuthorizationCodeTokenResponseClient
Closes gh-11512
This commit is contained in:
Joe Grandja
parent
d27322c9e0
commit
746d27eab1
|
|
@ -1,183 +0,0 @@
|
|||
/*
|
||||
* Copyright 2002-2020 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.security.oauth2.client.endpoint;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.net.URI;
|
||||
import java.util.LinkedHashMap;
|
||||
import java.util.LinkedHashSet;
|
||||
import java.util.Map;
|
||||
import java.util.Set;
|
||||
|
||||
import com.nimbusds.oauth2.sdk.AccessTokenResponse;
|
||||
import com.nimbusds.oauth2.sdk.AuthorizationCode;
|
||||
import com.nimbusds.oauth2.sdk.AuthorizationCodeGrant;
|
||||
import com.nimbusds.oauth2.sdk.AuthorizationGrant;
|
||||
import com.nimbusds.oauth2.sdk.ErrorObject;
|
||||
import com.nimbusds.oauth2.sdk.ParseException;
|
||||
import com.nimbusds.oauth2.sdk.TokenErrorResponse;
|
||||
import com.nimbusds.oauth2.sdk.TokenRequest;
|
||||
import com.nimbusds.oauth2.sdk.auth.ClientAuthentication;
|
||||
import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic;
|
||||
import com.nimbusds.oauth2.sdk.auth.ClientSecretPost;
|
||||
import com.nimbusds.oauth2.sdk.auth.Secret;
|
||||
import com.nimbusds.oauth2.sdk.http.HTTPRequest;
|
||||
import com.nimbusds.oauth2.sdk.id.ClientID;
|
||||
|
||||
import org.springframework.http.MediaType;
|
||||
import org.springframework.security.oauth2.client.registration.ClientRegistration;
|
||||
import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
|
||||
import org.springframework.security.oauth2.core.OAuth2AccessToken;
|
||||
import org.springframework.security.oauth2.core.OAuth2AuthorizationException;
|
||||
import org.springframework.security.oauth2.core.OAuth2Error;
|
||||
import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
|
||||
import org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse;
|
||||
import org.springframework.util.CollectionUtils;
|
||||
|
||||
/**
|
||||
* An implementation of an {@link OAuth2AccessTokenResponseClient} that
|
||||
* "exchanges" an authorization code credential for an access token credential
|
||||
* at the Authorization Server's Token Endpoint.
|
||||
*
|
||||
* <p>
|
||||
* <b>NOTE:</b> This implementation uses the Nimbus OAuth 2.0 SDK internally.
|
||||
*
|
||||
* @author Joe Grandja
|
||||
* @since 5.0
|
||||
* @see OAuth2AccessTokenResponseClient
|
||||
* @see OAuth2AuthorizationCodeGrantRequest
|
||||
* @see OAuth2AccessTokenResponse
|
||||
* @see <a target="_blank" href=
|
||||
* "https://connect2id.com/products/nimbus-oauth-openid-connect-sdk">Nimbus OAuth 2.0
|
||||
* SDK</a>
|
||||
* @see <a target="_blank" href=
|
||||
* "https://tools.ietf.org/html/rfc6749#section-4.1.3">Section 4.1.3 Access Token Request
|
||||
* (Authorization Code Grant)</a>
|
||||
* @see <a target="_blank" href=
|
||||
* "https://tools.ietf.org/html/rfc6749#section-4.1.4">Section 4.1.4 Access Token Response
|
||||
* (Authorization Code Grant)</a>
|
||||
* @deprecated Use {@link DefaultAuthorizationCodeTokenResponseClient}
|
||||
*/
|
||||
@Deprecated
|
||||
public class NimbusAuthorizationCodeTokenResponseClient
|
||||
implements OAuth2AccessTokenResponseClient<OAuth2AuthorizationCodeGrantRequest> {
|
||||
|
||||
private static final String INVALID_TOKEN_RESPONSE_ERROR_CODE = "invalid_token_response";
|
||||
|
||||
@Override
|
||||
public OAuth2AccessTokenResponse getTokenResponse(OAuth2AuthorizationCodeGrantRequest authorizationGrantRequest) {
|
||||
ClientRegistration clientRegistration = authorizationGrantRequest.getClientRegistration();
|
||||
// Build the authorization code grant request for the token endpoint
|
||||
AuthorizationCode authorizationCode = new AuthorizationCode(
|
||||
authorizationGrantRequest.getAuthorizationExchange().getAuthorizationResponse().getCode());
|
||||
URI redirectUri = toURI(
|
||||
authorizationGrantRequest.getAuthorizationExchange().getAuthorizationRequest().getRedirectUri());
|
||||
AuthorizationGrant authorizationCodeGrant = new AuthorizationCodeGrant(authorizationCode, redirectUri);
|
||||
URI tokenUri = toURI(clientRegistration.getProviderDetails().getTokenUri());
|
||||
// Set the credentials to authenticate the client at the token endpoint
|
||||
ClientID clientId = new ClientID(clientRegistration.getClientId());
|
||||
Secret clientSecret = new Secret(clientRegistration.getClientSecret());
|
||||
boolean isPost = ClientAuthenticationMethod.CLIENT_SECRET_POST
|
||||
.equals(clientRegistration.getClientAuthenticationMethod())
|
||||
|| ClientAuthenticationMethod.POST.equals(clientRegistration.getClientAuthenticationMethod());
|
||||
ClientAuthentication clientAuthentication = isPost ? new ClientSecretPost(clientId, clientSecret)
|
||||
: new ClientSecretBasic(clientId, clientSecret);
|
||||
com.nimbusds.oauth2.sdk.TokenResponse tokenResponse = getTokenResponse(authorizationCodeGrant, tokenUri,
|
||||
clientAuthentication);
|
||||
if (!tokenResponse.indicatesSuccess()) {
|
||||
TokenErrorResponse tokenErrorResponse = (TokenErrorResponse) tokenResponse;
|
||||
ErrorObject errorObject = tokenErrorResponse.getErrorObject();
|
||||
throw new OAuth2AuthorizationException(getOAuthError(errorObject));
|
||||
}
|
||||
AccessTokenResponse accessTokenResponse = (AccessTokenResponse) tokenResponse;
|
||||
String accessToken = accessTokenResponse.getTokens().getAccessToken().getValue();
|
||||
OAuth2AccessToken.TokenType accessTokenType = null;
|
||||
if (OAuth2AccessToken.TokenType.BEARER.getValue()
|
||||
.equalsIgnoreCase(accessTokenResponse.getTokens().getAccessToken().getType().getValue())) {
|
||||
accessTokenType = OAuth2AccessToken.TokenType.BEARER;
|
||||
}
|
||||
long expiresIn = accessTokenResponse.getTokens().getAccessToken().getLifetime();
|
||||
// As per spec, in section 5.1 Successful Access Token Response
|
||||
// https://tools.ietf.org/html/rfc6749#section-5.1
|
||||
// If AccessTokenResponse.scope is empty, then default to the scope
|
||||
// originally requested by the client in the Authorization Request
|
||||
Set<String> scopes = getScopes(authorizationGrantRequest, accessTokenResponse);
|
||||
String refreshToken = null;
|
||||
if (accessTokenResponse.getTokens().getRefreshToken() != null) {
|
||||
refreshToken = accessTokenResponse.getTokens().getRefreshToken().getValue();
|
||||
}
|
||||
Map<String, Object> additionalParameters = new LinkedHashMap<>(accessTokenResponse.getCustomParameters());
|
||||
// @formatter:off
|
||||
return OAuth2AccessTokenResponse.withToken(accessToken)
|
||||
.tokenType(accessTokenType)
|
||||
.expiresIn(expiresIn)
|
||||
.scopes(scopes)
|
||||
.refreshToken(refreshToken)
|
||||
.additionalParameters(additionalParameters)
|
||||
.build();
|
||||
// @formatter:on
|
||||
}
|
||||
|
||||
private com.nimbusds.oauth2.sdk.TokenResponse getTokenResponse(AuthorizationGrant authorizationCodeGrant,
|
||||
URI tokenUri, ClientAuthentication clientAuthentication) {
|
||||
try {
|
||||
// Send the Access Token request
|
||||
TokenRequest tokenRequest = new TokenRequest(tokenUri, clientAuthentication, authorizationCodeGrant);
|
||||
HTTPRequest httpRequest = tokenRequest.toHTTPRequest();
|
||||
httpRequest.setAccept(MediaType.APPLICATION_JSON_VALUE);
|
||||
httpRequest.setConnectTimeout(30000);
|
||||
httpRequest.setReadTimeout(30000);
|
||||
return com.nimbusds.oauth2.sdk.TokenResponse.parse(httpRequest.send());
|
||||
}
|
||||
catch (ParseException | IOException ex) {
|
||||
OAuth2Error oauth2Error = new OAuth2Error(INVALID_TOKEN_RESPONSE_ERROR_CODE,
|
||||
"An error occurred while attempting to retrieve the OAuth 2.0 Access Token Response: "
|
||||
+ ex.getMessage(),
|
||||
null);
|
||||
throw new OAuth2AuthorizationException(oauth2Error, ex);
|
||||
}
|
||||
}
|
||||
|
||||
private Set<String> getScopes(OAuth2AuthorizationCodeGrantRequest authorizationGrantRequest,
|
||||
AccessTokenResponse accessTokenResponse) {
|
||||
if (CollectionUtils.isEmpty(accessTokenResponse.getTokens().getAccessToken().getScope())) {
|
||||
return new LinkedHashSet<>(
|
||||
authorizationGrantRequest.getAuthorizationExchange().getAuthorizationRequest().getScopes());
|
||||
}
|
||||
return new LinkedHashSet<>(accessTokenResponse.getTokens().getAccessToken().getScope().toStringList());
|
||||
}
|
||||
|
||||
private OAuth2Error getOAuthError(ErrorObject errorObject) {
|
||||
if (errorObject == null) {
|
||||
return new OAuth2Error(OAuth2ErrorCodes.SERVER_ERROR);
|
||||
}
|
||||
String errorCode = (errorObject.getCode() != null) ? errorObject.getCode() : OAuth2ErrorCodes.SERVER_ERROR;
|
||||
String description = errorObject.getDescription();
|
||||
String uri = (errorObject.getURI() != null) ? errorObject.getURI().toString() : null;
|
||||
return new OAuth2Error(errorCode, description, uri);
|
||||
}
|
||||
|
||||
private static URI toURI(String uriStr) {
|
||||
try {
|
||||
return new URI(uriStr);
|
||||
}
|
||||
catch (Exception ex) {
|
||||
throw new IllegalArgumentException("An error occurred parsing URI: " + uriStr, ex);
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
|
@ -1,289 +0,0 @@
|
|||
/*
|
||||
* Copyright 2002-2020 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.security.oauth2.client.endpoint;
|
||||
|
||||
import java.time.Instant;
|
||||
|
||||
import okhttp3.mockwebserver.MockResponse;
|
||||
import okhttp3.mockwebserver.MockWebServer;
|
||||
import org.junit.jupiter.api.BeforeEach;
|
||||
import org.junit.jupiter.api.Test;
|
||||
|
||||
import org.springframework.http.HttpHeaders;
|
||||
import org.springframework.http.MediaType;
|
||||
import org.springframework.security.oauth2.client.registration.ClientRegistration;
|
||||
import org.springframework.security.oauth2.client.registration.TestClientRegistrations;
|
||||
import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
|
||||
import org.springframework.security.oauth2.core.OAuth2AccessToken;
|
||||
import org.springframework.security.oauth2.core.OAuth2AuthorizationException;
|
||||
import org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse;
|
||||
import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationExchange;
|
||||
import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
|
||||
import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationResponse;
|
||||
import org.springframework.security.oauth2.core.endpoint.TestOAuth2AuthorizationRequests;
|
||||
import org.springframework.security.oauth2.core.endpoint.TestOAuth2AuthorizationResponses;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
|
||||
import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
|
||||
|
||||
/**
|
||||
* Tests for {@link NimbusAuthorizationCodeTokenResponseClient}.
|
||||
*
|
||||
* @author Joe Grandja
|
||||
*/
|
||||
public class NimbusAuthorizationCodeTokenResponseClientTests {
|
||||
|
||||
private ClientRegistration.Builder clientRegistrationBuilder;
|
||||
|
||||
private OAuth2AuthorizationRequest authorizationRequest;
|
||||
|
||||
private OAuth2AuthorizationResponse authorizationResponse;
|
||||
|
||||
private OAuth2AuthorizationExchange authorizationExchange;
|
||||
|
||||
private NimbusAuthorizationCodeTokenResponseClient tokenResponseClient = new NimbusAuthorizationCodeTokenResponseClient();
|
||||
|
||||
@BeforeEach
|
||||
public void setUp() {
|
||||
this.clientRegistrationBuilder = TestClientRegistrations.clientRegistration()
|
||||
.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC);
|
||||
this.authorizationRequest = TestOAuth2AuthorizationRequests.request().build();
|
||||
this.authorizationResponse = TestOAuth2AuthorizationResponses.success().build();
|
||||
this.authorizationExchange = new OAuth2AuthorizationExchange(this.authorizationRequest,
|
||||
this.authorizationResponse);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void getTokenResponseWhenSuccessResponseThenReturnAccessTokenResponse() throws Exception {
|
||||
MockWebServer server = new MockWebServer();
|
||||
// @formatter:off
|
||||
String accessTokenSuccessResponse = "{\n"
|
||||
+ " \"access_token\": \"access-token-1234\",\n"
|
||||
+ " \"token_type\": \"bearer\",\n"
|
||||
+ " \"expires_in\": \"3600\",\n"
|
||||
+ " \"scope\": \"openid profile\",\n"
|
||||
+ " \"refresh_token\": \"refresh-token-1234\",\n"
|
||||
+ " \"custom_parameter_1\": \"custom-value-1\",\n"
|
||||
+ " \"custom_parameter_2\": \"custom-value-2\"\n"
|
||||
+ "}\n";
|
||||
// @formatter:on
|
||||
server.enqueue(new MockResponse().setHeader(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE)
|
||||
.setBody(accessTokenSuccessResponse));
|
||||
server.start();
|
||||
String tokenUri = server.url("/oauth2/token").toString();
|
||||
this.clientRegistrationBuilder.tokenUri(tokenUri);
|
||||
Instant expiresAtBefore = Instant.now().plusSeconds(3600);
|
||||
OAuth2AccessTokenResponse accessTokenResponse = this.tokenResponseClient
|
||||
.getTokenResponse(new OAuth2AuthorizationCodeGrantRequest(this.clientRegistrationBuilder.build(),
|
||||
this.authorizationExchange));
|
||||
Instant expiresAtAfter = Instant.now().plusSeconds(3600);
|
||||
server.shutdown();
|
||||
assertThat(accessTokenResponse.getAccessToken().getTokenValue()).isEqualTo("access-token-1234");
|
||||
assertThat(accessTokenResponse.getAccessToken().getTokenType()).isEqualTo(OAuth2AccessToken.TokenType.BEARER);
|
||||
assertThat(accessTokenResponse.getAccessToken().getExpiresAt()).isBetween(expiresAtBefore, expiresAtAfter);
|
||||
assertThat(accessTokenResponse.getAccessToken().getScopes()).containsExactly("openid", "profile");
|
||||
assertThat(accessTokenResponse.getRefreshToken().getTokenValue()).isEqualTo("refresh-token-1234");
|
||||
assertThat(accessTokenResponse.getAdditionalParameters().size()).isEqualTo(2);
|
||||
assertThat(accessTokenResponse.getAdditionalParameters()).containsEntry("custom_parameter_1", "custom-value-1");
|
||||
assertThat(accessTokenResponse.getAdditionalParameters()).containsEntry("custom_parameter_2", "custom-value-2");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void getTokenResponseWhenRedirectUriMalformedThenThrowIllegalArgumentException() {
|
||||
String redirectUri = "http:\\example.com";
|
||||
OAuth2AuthorizationRequest authorizationRequest = TestOAuth2AuthorizationRequests.request()
|
||||
.redirectUri(redirectUri).build();
|
||||
OAuth2AuthorizationExchange authorizationExchange = new OAuth2AuthorizationExchange(authorizationRequest,
|
||||
this.authorizationResponse);
|
||||
assertThatIllegalArgumentException()
|
||||
.isThrownBy(() -> this.tokenResponseClient.getTokenResponse(new OAuth2AuthorizationCodeGrantRequest(
|
||||
this.clientRegistrationBuilder.build(), authorizationExchange)));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void getTokenResponseWhenTokenUriMalformedThenThrowIllegalArgumentException() {
|
||||
String tokenUri = "http:\\provider.com\\oauth2\\token";
|
||||
this.clientRegistrationBuilder.tokenUri(tokenUri);
|
||||
assertThatIllegalArgumentException()
|
||||
.isThrownBy(() -> this.tokenResponseClient.getTokenResponse(new OAuth2AuthorizationCodeGrantRequest(
|
||||
this.clientRegistrationBuilder.build(), this.authorizationExchange)));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void getTokenResponseWhenSuccessResponseInvalidThenThrowOAuth2AuthorizationException() throws Exception {
|
||||
MockWebServer server = new MockWebServer();
|
||||
// @formatter:off
|
||||
String accessTokenSuccessResponse = "{\n"
|
||||
+ " \"access_token\": \"access-token-1234\",\n"
|
||||
+ " \"token_type\": \"bearer\",\n"
|
||||
+ " \"expires_in\": \"3600\",\n"
|
||||
+ " \"scope\": \"openid profile\",\n"
|
||||
+ " \"custom_parameter_1\": \"custom-value-1\",\n"
|
||||
+ " \"custom_parameter_2\": \"custom-value-2\"\n";
|
||||
// "}\n"; // Make the JSON invalid/malformed
|
||||
// @formatter:on
|
||||
server.enqueue(new MockResponse().setHeader(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE)
|
||||
.setBody(accessTokenSuccessResponse));
|
||||
server.start();
|
||||
String tokenUri = server.url("/oauth2/token").toString();
|
||||
this.clientRegistrationBuilder.tokenUri(tokenUri);
|
||||
try {
|
||||
assertThatExceptionOfType(OAuth2AuthorizationException.class)
|
||||
.isThrownBy(() -> this.tokenResponseClient.getTokenResponse(new OAuth2AuthorizationCodeGrantRequest(
|
||||
this.clientRegistrationBuilder.build(), this.authorizationExchange)))
|
||||
.withMessageContaining("invalid_token_response");
|
||||
}
|
||||
finally {
|
||||
server.shutdown();
|
||||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
public void getTokenResponseWhenTokenUriInvalidThenThrowOAuth2AuthorizationException() {
|
||||
String tokenUri = "https://invalid-provider.com/oauth2/token";
|
||||
this.clientRegistrationBuilder.tokenUri(tokenUri);
|
||||
assertThatExceptionOfType(OAuth2AuthorizationException.class)
|
||||
.isThrownBy(() -> this.tokenResponseClient.getTokenResponse(new OAuth2AuthorizationCodeGrantRequest(
|
||||
this.clientRegistrationBuilder.build(), this.authorizationExchange)));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void getTokenResponseWhenErrorResponseThenThrowOAuth2AuthorizationException() throws Exception {
|
||||
MockWebServer server = new MockWebServer();
|
||||
// @formatter:off
|
||||
String accessTokenErrorResponse = "{\n"
|
||||
+ " \"error\": \"unauthorized_client\"\n"
|
||||
+ "}\n";
|
||||
// @formatter:on
|
||||
server.enqueue(new MockResponse().setHeader(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE)
|
||||
.setResponseCode(500).setBody(accessTokenErrorResponse));
|
||||
server.start();
|
||||
String tokenUri = server.url("/oauth2/token").toString();
|
||||
this.clientRegistrationBuilder.tokenUri(tokenUri);
|
||||
try {
|
||||
assertThatExceptionOfType(OAuth2AuthorizationException.class)
|
||||
.isThrownBy(() -> this.tokenResponseClient.getTokenResponse(new OAuth2AuthorizationCodeGrantRequest(
|
||||
this.clientRegistrationBuilder.build(), this.authorizationExchange)))
|
||||
.withMessageContaining("unauthorized_client");
|
||||
}
|
||||
finally {
|
||||
server.shutdown();
|
||||
}
|
||||
}
|
||||
|
||||
// gh-5594
|
||||
@Test
|
||||
public void getTokenResponseWhenServerErrorResponseThenThrowOAuth2AuthorizationException() throws Exception {
|
||||
MockWebServer server = new MockWebServer();
|
||||
server.enqueue(new MockResponse().setResponseCode(500));
|
||||
server.start();
|
||||
String tokenUri = server.url("/oauth2/token").toString();
|
||||
this.clientRegistrationBuilder.tokenUri(tokenUri);
|
||||
try {
|
||||
assertThatExceptionOfType(OAuth2AuthorizationException.class)
|
||||
.isThrownBy(() -> this.tokenResponseClient.getTokenResponse(new OAuth2AuthorizationCodeGrantRequest(
|
||||
this.clientRegistrationBuilder.build(), this.authorizationExchange)))
|
||||
.withMessageContaining("server_error");
|
||||
}
|
||||
finally {
|
||||
server.shutdown();
|
||||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
public void getTokenResponseWhenSuccessResponseAndNotBearerTokenTypeThenThrowOAuth2AuthorizationException()
|
||||
throws Exception {
|
||||
MockWebServer server = new MockWebServer();
|
||||
// @formatter:off
|
||||
String accessTokenSuccessResponse = "{\n"
|
||||
+ " \"access_token\": \"access-token-1234\",\n"
|
||||
+ " \"token_type\": \"not-bearer\",\n"
|
||||
+ " \"expires_in\": \"3600\"\n"
|
||||
+ "}\n";
|
||||
// @formatter:on
|
||||
server.enqueue(new MockResponse().setHeader(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE)
|
||||
.setBody(accessTokenSuccessResponse));
|
||||
server.start();
|
||||
String tokenUri = server.url("/oauth2/token").toString();
|
||||
this.clientRegistrationBuilder.tokenUri(tokenUri);
|
||||
try {
|
||||
assertThatExceptionOfType(OAuth2AuthorizationException.class)
|
||||
.isThrownBy(() -> this.tokenResponseClient.getTokenResponse(new OAuth2AuthorizationCodeGrantRequest(
|
||||
this.clientRegistrationBuilder.build(), this.authorizationExchange)))
|
||||
.withMessageContaining("invalid_token_response");
|
||||
}
|
||||
finally {
|
||||
server.shutdown();
|
||||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
public void getTokenResponseWhenSuccessResponseIncludesScopeThenReturnAccessTokenResponseUsingResponseScope()
|
||||
throws Exception {
|
||||
MockWebServer server = new MockWebServer();
|
||||
// @formatter:off
|
||||
String accessTokenSuccessResponse = "{\n"
|
||||
+ " \"access_token\": \"access-token-1234\",\n"
|
||||
+ " \"token_type\": \"bearer\",\n"
|
||||
+ " \"expires_in\": \"3600\",\n"
|
||||
+ " \"scope\": \"openid profile\"\n"
|
||||
+ "}\n";
|
||||
// @formatter:on
|
||||
server.enqueue(new MockResponse().setHeader(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE)
|
||||
.setBody(accessTokenSuccessResponse));
|
||||
server.start();
|
||||
String tokenUri = server.url("/oauth2/token").toString();
|
||||
this.clientRegistrationBuilder.tokenUri(tokenUri);
|
||||
OAuth2AuthorizationRequest authorizationRequest = TestOAuth2AuthorizationRequests.request()
|
||||
.scope("openid", "profile", "email", "address").build();
|
||||
OAuth2AuthorizationExchange authorizationExchange = new OAuth2AuthorizationExchange(authorizationRequest,
|
||||
this.authorizationResponse);
|
||||
OAuth2AccessTokenResponse accessTokenResponse = this.tokenResponseClient.getTokenResponse(
|
||||
new OAuth2AuthorizationCodeGrantRequest(this.clientRegistrationBuilder.build(), authorizationExchange));
|
||||
server.shutdown();
|
||||
assertThat(accessTokenResponse.getAccessToken().getScopes()).containsExactly("openid", "profile");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void getTokenResponseWhenSuccessResponseDoesNotIncludeScopeThenReturnAccessTokenResponseUsingRequestedScope()
|
||||
throws Exception {
|
||||
MockWebServer server = new MockWebServer();
|
||||
// @formatter:off
|
||||
String accessTokenSuccessResponse = "{\n"
|
||||
+ " \"access_token\": \"access-token-1234\",\n"
|
||||
+ " \"token_type\": \"bearer\",\n"
|
||||
+ " \"expires_in\": \"3600\"\n"
|
||||
+ "}\n";
|
||||
// @formatter:on
|
||||
server.enqueue(new MockResponse().setHeader(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE)
|
||||
.setBody(accessTokenSuccessResponse));
|
||||
server.start();
|
||||
String tokenUri = server.url("/oauth2/token").toString();
|
||||
this.clientRegistrationBuilder.tokenUri(tokenUri);
|
||||
OAuth2AuthorizationRequest authorizationRequest = TestOAuth2AuthorizationRequests.request()
|
||||
.scope("openid", "profile", "email", "address").build();
|
||||
OAuth2AuthorizationExchange authorizationExchange = new OAuth2AuthorizationExchange(authorizationRequest,
|
||||
this.authorizationResponse);
|
||||
OAuth2AccessTokenResponse accessTokenResponse = this.tokenResponseClient.getTokenResponse(
|
||||
new OAuth2AuthorizationCodeGrantRequest(this.clientRegistrationBuilder.build(), authorizationExchange));
|
||||
server.shutdown();
|
||||
assertThat(accessTokenResponse.getAccessToken().getScopes()).containsExactly("openid", "profile", "email",
|
||||
"address");
|
||||
}
|
||||
|
||||
}
|
||||
Loading…
Reference in New Issue