Remove deprecated NimbusAuthorizationCodeTokenResponseClient
Closes gh-11512
This commit is contained in:
parent
d27322c9e0
commit
746d27eab1
|
@ -1,183 +0,0 @@
|
||||||
/*
|
|
||||||
* Copyright 2002-2020 the original author or authors.
|
|
||||||
*
|
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
* you may not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* https://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
* See the License for the specific language governing permissions and
|
|
||||||
* limitations under the License.
|
|
||||||
*/
|
|
||||||
|
|
||||||
package org.springframework.security.oauth2.client.endpoint;
|
|
||||||
|
|
||||||
import java.io.IOException;
|
|
||||||
import java.net.URI;
|
|
||||||
import java.util.LinkedHashMap;
|
|
||||||
import java.util.LinkedHashSet;
|
|
||||||
import java.util.Map;
|
|
||||||
import java.util.Set;
|
|
||||||
|
|
||||||
import com.nimbusds.oauth2.sdk.AccessTokenResponse;
|
|
||||||
import com.nimbusds.oauth2.sdk.AuthorizationCode;
|
|
||||||
import com.nimbusds.oauth2.sdk.AuthorizationCodeGrant;
|
|
||||||
import com.nimbusds.oauth2.sdk.AuthorizationGrant;
|
|
||||||
import com.nimbusds.oauth2.sdk.ErrorObject;
|
|
||||||
import com.nimbusds.oauth2.sdk.ParseException;
|
|
||||||
import com.nimbusds.oauth2.sdk.TokenErrorResponse;
|
|
||||||
import com.nimbusds.oauth2.sdk.TokenRequest;
|
|
||||||
import com.nimbusds.oauth2.sdk.auth.ClientAuthentication;
|
|
||||||
import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic;
|
|
||||||
import com.nimbusds.oauth2.sdk.auth.ClientSecretPost;
|
|
||||||
import com.nimbusds.oauth2.sdk.auth.Secret;
|
|
||||||
import com.nimbusds.oauth2.sdk.http.HTTPRequest;
|
|
||||||
import com.nimbusds.oauth2.sdk.id.ClientID;
|
|
||||||
|
|
||||||
import org.springframework.http.MediaType;
|
|
||||||
import org.springframework.security.oauth2.client.registration.ClientRegistration;
|
|
||||||
import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
|
|
||||||
import org.springframework.security.oauth2.core.OAuth2AccessToken;
|
|
||||||
import org.springframework.security.oauth2.core.OAuth2AuthorizationException;
|
|
||||||
import org.springframework.security.oauth2.core.OAuth2Error;
|
|
||||||
import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
|
|
||||||
import org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse;
|
|
||||||
import org.springframework.util.CollectionUtils;
|
|
||||||
|
|
||||||
/**
|
|
||||||
* An implementation of an {@link OAuth2AccessTokenResponseClient} that
|
|
||||||
* "exchanges" an authorization code credential for an access token credential
|
|
||||||
* at the Authorization Server's Token Endpoint.
|
|
||||||
*
|
|
||||||
* <p>
|
|
||||||
* <b>NOTE:</b> This implementation uses the Nimbus OAuth 2.0 SDK internally.
|
|
||||||
*
|
|
||||||
* @author Joe Grandja
|
|
||||||
* @since 5.0
|
|
||||||
* @see OAuth2AccessTokenResponseClient
|
|
||||||
* @see OAuth2AuthorizationCodeGrantRequest
|
|
||||||
* @see OAuth2AccessTokenResponse
|
|
||||||
* @see <a target="_blank" href=
|
|
||||||
* "https://connect2id.com/products/nimbus-oauth-openid-connect-sdk">Nimbus OAuth 2.0
|
|
||||||
* SDK</a>
|
|
||||||
* @see <a target="_blank" href=
|
|
||||||
* "https://tools.ietf.org/html/rfc6749#section-4.1.3">Section 4.1.3 Access Token Request
|
|
||||||
* (Authorization Code Grant)</a>
|
|
||||||
* @see <a target="_blank" href=
|
|
||||||
* "https://tools.ietf.org/html/rfc6749#section-4.1.4">Section 4.1.4 Access Token Response
|
|
||||||
* (Authorization Code Grant)</a>
|
|
||||||
* @deprecated Use {@link DefaultAuthorizationCodeTokenResponseClient}
|
|
||||||
*/
|
|
||||||
@Deprecated
|
|
||||||
public class NimbusAuthorizationCodeTokenResponseClient
|
|
||||||
implements OAuth2AccessTokenResponseClient<OAuth2AuthorizationCodeGrantRequest> {
|
|
||||||
|
|
||||||
private static final String INVALID_TOKEN_RESPONSE_ERROR_CODE = "invalid_token_response";
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public OAuth2AccessTokenResponse getTokenResponse(OAuth2AuthorizationCodeGrantRequest authorizationGrantRequest) {
|
|
||||||
ClientRegistration clientRegistration = authorizationGrantRequest.getClientRegistration();
|
|
||||||
// Build the authorization code grant request for the token endpoint
|
|
||||||
AuthorizationCode authorizationCode = new AuthorizationCode(
|
|
||||||
authorizationGrantRequest.getAuthorizationExchange().getAuthorizationResponse().getCode());
|
|
||||||
URI redirectUri = toURI(
|
|
||||||
authorizationGrantRequest.getAuthorizationExchange().getAuthorizationRequest().getRedirectUri());
|
|
||||||
AuthorizationGrant authorizationCodeGrant = new AuthorizationCodeGrant(authorizationCode, redirectUri);
|
|
||||||
URI tokenUri = toURI(clientRegistration.getProviderDetails().getTokenUri());
|
|
||||||
// Set the credentials to authenticate the client at the token endpoint
|
|
||||||
ClientID clientId = new ClientID(clientRegistration.getClientId());
|
|
||||||
Secret clientSecret = new Secret(clientRegistration.getClientSecret());
|
|
||||||
boolean isPost = ClientAuthenticationMethod.CLIENT_SECRET_POST
|
|
||||||
.equals(clientRegistration.getClientAuthenticationMethod())
|
|
||||||
|| ClientAuthenticationMethod.POST.equals(clientRegistration.getClientAuthenticationMethod());
|
|
||||||
ClientAuthentication clientAuthentication = isPost ? new ClientSecretPost(clientId, clientSecret)
|
|
||||||
: new ClientSecretBasic(clientId, clientSecret);
|
|
||||||
com.nimbusds.oauth2.sdk.TokenResponse tokenResponse = getTokenResponse(authorizationCodeGrant, tokenUri,
|
|
||||||
clientAuthentication);
|
|
||||||
if (!tokenResponse.indicatesSuccess()) {
|
|
||||||
TokenErrorResponse tokenErrorResponse = (TokenErrorResponse) tokenResponse;
|
|
||||||
ErrorObject errorObject = tokenErrorResponse.getErrorObject();
|
|
||||||
throw new OAuth2AuthorizationException(getOAuthError(errorObject));
|
|
||||||
}
|
|
||||||
AccessTokenResponse accessTokenResponse = (AccessTokenResponse) tokenResponse;
|
|
||||||
String accessToken = accessTokenResponse.getTokens().getAccessToken().getValue();
|
|
||||||
OAuth2AccessToken.TokenType accessTokenType = null;
|
|
||||||
if (OAuth2AccessToken.TokenType.BEARER.getValue()
|
|
||||||
.equalsIgnoreCase(accessTokenResponse.getTokens().getAccessToken().getType().getValue())) {
|
|
||||||
accessTokenType = OAuth2AccessToken.TokenType.BEARER;
|
|
||||||
}
|
|
||||||
long expiresIn = accessTokenResponse.getTokens().getAccessToken().getLifetime();
|
|
||||||
// As per spec, in section 5.1 Successful Access Token Response
|
|
||||||
// https://tools.ietf.org/html/rfc6749#section-5.1
|
|
||||||
// If AccessTokenResponse.scope is empty, then default to the scope
|
|
||||||
// originally requested by the client in the Authorization Request
|
|
||||||
Set<String> scopes = getScopes(authorizationGrantRequest, accessTokenResponse);
|
|
||||||
String refreshToken = null;
|
|
||||||
if (accessTokenResponse.getTokens().getRefreshToken() != null) {
|
|
||||||
refreshToken = accessTokenResponse.getTokens().getRefreshToken().getValue();
|
|
||||||
}
|
|
||||||
Map<String, Object> additionalParameters = new LinkedHashMap<>(accessTokenResponse.getCustomParameters());
|
|
||||||
// @formatter:off
|
|
||||||
return OAuth2AccessTokenResponse.withToken(accessToken)
|
|
||||||
.tokenType(accessTokenType)
|
|
||||||
.expiresIn(expiresIn)
|
|
||||||
.scopes(scopes)
|
|
||||||
.refreshToken(refreshToken)
|
|
||||||
.additionalParameters(additionalParameters)
|
|
||||||
.build();
|
|
||||||
// @formatter:on
|
|
||||||
}
|
|
||||||
|
|
||||||
private com.nimbusds.oauth2.sdk.TokenResponse getTokenResponse(AuthorizationGrant authorizationCodeGrant,
|
|
||||||
URI tokenUri, ClientAuthentication clientAuthentication) {
|
|
||||||
try {
|
|
||||||
// Send the Access Token request
|
|
||||||
TokenRequest tokenRequest = new TokenRequest(tokenUri, clientAuthentication, authorizationCodeGrant);
|
|
||||||
HTTPRequest httpRequest = tokenRequest.toHTTPRequest();
|
|
||||||
httpRequest.setAccept(MediaType.APPLICATION_JSON_VALUE);
|
|
||||||
httpRequest.setConnectTimeout(30000);
|
|
||||||
httpRequest.setReadTimeout(30000);
|
|
||||||
return com.nimbusds.oauth2.sdk.TokenResponse.parse(httpRequest.send());
|
|
||||||
}
|
|
||||||
catch (ParseException | IOException ex) {
|
|
||||||
OAuth2Error oauth2Error = new OAuth2Error(INVALID_TOKEN_RESPONSE_ERROR_CODE,
|
|
||||||
"An error occurred while attempting to retrieve the OAuth 2.0 Access Token Response: "
|
|
||||||
+ ex.getMessage(),
|
|
||||||
null);
|
|
||||||
throw new OAuth2AuthorizationException(oauth2Error, ex);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
private Set<String> getScopes(OAuth2AuthorizationCodeGrantRequest authorizationGrantRequest,
|
|
||||||
AccessTokenResponse accessTokenResponse) {
|
|
||||||
if (CollectionUtils.isEmpty(accessTokenResponse.getTokens().getAccessToken().getScope())) {
|
|
||||||
return new LinkedHashSet<>(
|
|
||||||
authorizationGrantRequest.getAuthorizationExchange().getAuthorizationRequest().getScopes());
|
|
||||||
}
|
|
||||||
return new LinkedHashSet<>(accessTokenResponse.getTokens().getAccessToken().getScope().toStringList());
|
|
||||||
}
|
|
||||||
|
|
||||||
private OAuth2Error getOAuthError(ErrorObject errorObject) {
|
|
||||||
if (errorObject == null) {
|
|
||||||
return new OAuth2Error(OAuth2ErrorCodes.SERVER_ERROR);
|
|
||||||
}
|
|
||||||
String errorCode = (errorObject.getCode() != null) ? errorObject.getCode() : OAuth2ErrorCodes.SERVER_ERROR;
|
|
||||||
String description = errorObject.getDescription();
|
|
||||||
String uri = (errorObject.getURI() != null) ? errorObject.getURI().toString() : null;
|
|
||||||
return new OAuth2Error(errorCode, description, uri);
|
|
||||||
}
|
|
||||||
|
|
||||||
private static URI toURI(String uriStr) {
|
|
||||||
try {
|
|
||||||
return new URI(uriStr);
|
|
||||||
}
|
|
||||||
catch (Exception ex) {
|
|
||||||
throw new IllegalArgumentException("An error occurred parsing URI: " + uriStr, ex);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
|
|
@ -1,289 +0,0 @@
|
||||||
/*
|
|
||||||
* Copyright 2002-2020 the original author or authors.
|
|
||||||
*
|
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
* you may not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* https://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
* See the License for the specific language governing permissions and
|
|
||||||
* limitations under the License.
|
|
||||||
*/
|
|
||||||
|
|
||||||
package org.springframework.security.oauth2.client.endpoint;
|
|
||||||
|
|
||||||
import java.time.Instant;
|
|
||||||
|
|
||||||
import okhttp3.mockwebserver.MockResponse;
|
|
||||||
import okhttp3.mockwebserver.MockWebServer;
|
|
||||||
import org.junit.jupiter.api.BeforeEach;
|
|
||||||
import org.junit.jupiter.api.Test;
|
|
||||||
|
|
||||||
import org.springframework.http.HttpHeaders;
|
|
||||||
import org.springframework.http.MediaType;
|
|
||||||
import org.springframework.security.oauth2.client.registration.ClientRegistration;
|
|
||||||
import org.springframework.security.oauth2.client.registration.TestClientRegistrations;
|
|
||||||
import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
|
|
||||||
import org.springframework.security.oauth2.core.OAuth2AccessToken;
|
|
||||||
import org.springframework.security.oauth2.core.OAuth2AuthorizationException;
|
|
||||||
import org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse;
|
|
||||||
import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationExchange;
|
|
||||||
import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
|
|
||||||
import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationResponse;
|
|
||||||
import org.springframework.security.oauth2.core.endpoint.TestOAuth2AuthorizationRequests;
|
|
||||||
import org.springframework.security.oauth2.core.endpoint.TestOAuth2AuthorizationResponses;
|
|
||||||
|
|
||||||
import static org.assertj.core.api.Assertions.assertThat;
|
|
||||||
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
|
|
||||||
import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Tests for {@link NimbusAuthorizationCodeTokenResponseClient}.
|
|
||||||
*
|
|
||||||
* @author Joe Grandja
|
|
||||||
*/
|
|
||||||
public class NimbusAuthorizationCodeTokenResponseClientTests {
|
|
||||||
|
|
||||||
private ClientRegistration.Builder clientRegistrationBuilder;
|
|
||||||
|
|
||||||
private OAuth2AuthorizationRequest authorizationRequest;
|
|
||||||
|
|
||||||
private OAuth2AuthorizationResponse authorizationResponse;
|
|
||||||
|
|
||||||
private OAuth2AuthorizationExchange authorizationExchange;
|
|
||||||
|
|
||||||
private NimbusAuthorizationCodeTokenResponseClient tokenResponseClient = new NimbusAuthorizationCodeTokenResponseClient();
|
|
||||||
|
|
||||||
@BeforeEach
|
|
||||||
public void setUp() {
|
|
||||||
this.clientRegistrationBuilder = TestClientRegistrations.clientRegistration()
|
|
||||||
.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC);
|
|
||||||
this.authorizationRequest = TestOAuth2AuthorizationRequests.request().build();
|
|
||||||
this.authorizationResponse = TestOAuth2AuthorizationResponses.success().build();
|
|
||||||
this.authorizationExchange = new OAuth2AuthorizationExchange(this.authorizationRequest,
|
|
||||||
this.authorizationResponse);
|
|
||||||
}
|
|
||||||
|
|
||||||
@Test
|
|
||||||
public void getTokenResponseWhenSuccessResponseThenReturnAccessTokenResponse() throws Exception {
|
|
||||||
MockWebServer server = new MockWebServer();
|
|
||||||
// @formatter:off
|
|
||||||
String accessTokenSuccessResponse = "{\n"
|
|
||||||
+ " \"access_token\": \"access-token-1234\",\n"
|
|
||||||
+ " \"token_type\": \"bearer\",\n"
|
|
||||||
+ " \"expires_in\": \"3600\",\n"
|
|
||||||
+ " \"scope\": \"openid profile\",\n"
|
|
||||||
+ " \"refresh_token\": \"refresh-token-1234\",\n"
|
|
||||||
+ " \"custom_parameter_1\": \"custom-value-1\",\n"
|
|
||||||
+ " \"custom_parameter_2\": \"custom-value-2\"\n"
|
|
||||||
+ "}\n";
|
|
||||||
// @formatter:on
|
|
||||||
server.enqueue(new MockResponse().setHeader(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE)
|
|
||||||
.setBody(accessTokenSuccessResponse));
|
|
||||||
server.start();
|
|
||||||
String tokenUri = server.url("/oauth2/token").toString();
|
|
||||||
this.clientRegistrationBuilder.tokenUri(tokenUri);
|
|
||||||
Instant expiresAtBefore = Instant.now().plusSeconds(3600);
|
|
||||||
OAuth2AccessTokenResponse accessTokenResponse = this.tokenResponseClient
|
|
||||||
.getTokenResponse(new OAuth2AuthorizationCodeGrantRequest(this.clientRegistrationBuilder.build(),
|
|
||||||
this.authorizationExchange));
|
|
||||||
Instant expiresAtAfter = Instant.now().plusSeconds(3600);
|
|
||||||
server.shutdown();
|
|
||||||
assertThat(accessTokenResponse.getAccessToken().getTokenValue()).isEqualTo("access-token-1234");
|
|
||||||
assertThat(accessTokenResponse.getAccessToken().getTokenType()).isEqualTo(OAuth2AccessToken.TokenType.BEARER);
|
|
||||||
assertThat(accessTokenResponse.getAccessToken().getExpiresAt()).isBetween(expiresAtBefore, expiresAtAfter);
|
|
||||||
assertThat(accessTokenResponse.getAccessToken().getScopes()).containsExactly("openid", "profile");
|
|
||||||
assertThat(accessTokenResponse.getRefreshToken().getTokenValue()).isEqualTo("refresh-token-1234");
|
|
||||||
assertThat(accessTokenResponse.getAdditionalParameters().size()).isEqualTo(2);
|
|
||||||
assertThat(accessTokenResponse.getAdditionalParameters()).containsEntry("custom_parameter_1", "custom-value-1");
|
|
||||||
assertThat(accessTokenResponse.getAdditionalParameters()).containsEntry("custom_parameter_2", "custom-value-2");
|
|
||||||
}
|
|
||||||
|
|
||||||
@Test
|
|
||||||
public void getTokenResponseWhenRedirectUriMalformedThenThrowIllegalArgumentException() {
|
|
||||||
String redirectUri = "http:\\example.com";
|
|
||||||
OAuth2AuthorizationRequest authorizationRequest = TestOAuth2AuthorizationRequests.request()
|
|
||||||
.redirectUri(redirectUri).build();
|
|
||||||
OAuth2AuthorizationExchange authorizationExchange = new OAuth2AuthorizationExchange(authorizationRequest,
|
|
||||||
this.authorizationResponse);
|
|
||||||
assertThatIllegalArgumentException()
|
|
||||||
.isThrownBy(() -> this.tokenResponseClient.getTokenResponse(new OAuth2AuthorizationCodeGrantRequest(
|
|
||||||
this.clientRegistrationBuilder.build(), authorizationExchange)));
|
|
||||||
}
|
|
||||||
|
|
||||||
@Test
|
|
||||||
public void getTokenResponseWhenTokenUriMalformedThenThrowIllegalArgumentException() {
|
|
||||||
String tokenUri = "http:\\provider.com\\oauth2\\token";
|
|
||||||
this.clientRegistrationBuilder.tokenUri(tokenUri);
|
|
||||||
assertThatIllegalArgumentException()
|
|
||||||
.isThrownBy(() -> this.tokenResponseClient.getTokenResponse(new OAuth2AuthorizationCodeGrantRequest(
|
|
||||||
this.clientRegistrationBuilder.build(), this.authorizationExchange)));
|
|
||||||
}
|
|
||||||
|
|
||||||
@Test
|
|
||||||
public void getTokenResponseWhenSuccessResponseInvalidThenThrowOAuth2AuthorizationException() throws Exception {
|
|
||||||
MockWebServer server = new MockWebServer();
|
|
||||||
// @formatter:off
|
|
||||||
String accessTokenSuccessResponse = "{\n"
|
|
||||||
+ " \"access_token\": \"access-token-1234\",\n"
|
|
||||||
+ " \"token_type\": \"bearer\",\n"
|
|
||||||
+ " \"expires_in\": \"3600\",\n"
|
|
||||||
+ " \"scope\": \"openid profile\",\n"
|
|
||||||
+ " \"custom_parameter_1\": \"custom-value-1\",\n"
|
|
||||||
+ " \"custom_parameter_2\": \"custom-value-2\"\n";
|
|
||||||
// "}\n"; // Make the JSON invalid/malformed
|
|
||||||
// @formatter:on
|
|
||||||
server.enqueue(new MockResponse().setHeader(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE)
|
|
||||||
.setBody(accessTokenSuccessResponse));
|
|
||||||
server.start();
|
|
||||||
String tokenUri = server.url("/oauth2/token").toString();
|
|
||||||
this.clientRegistrationBuilder.tokenUri(tokenUri);
|
|
||||||
try {
|
|
||||||
assertThatExceptionOfType(OAuth2AuthorizationException.class)
|
|
||||||
.isThrownBy(() -> this.tokenResponseClient.getTokenResponse(new OAuth2AuthorizationCodeGrantRequest(
|
|
||||||
this.clientRegistrationBuilder.build(), this.authorizationExchange)))
|
|
||||||
.withMessageContaining("invalid_token_response");
|
|
||||||
}
|
|
||||||
finally {
|
|
||||||
server.shutdown();
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
@Test
|
|
||||||
public void getTokenResponseWhenTokenUriInvalidThenThrowOAuth2AuthorizationException() {
|
|
||||||
String tokenUri = "https://invalid-provider.com/oauth2/token";
|
|
||||||
this.clientRegistrationBuilder.tokenUri(tokenUri);
|
|
||||||
assertThatExceptionOfType(OAuth2AuthorizationException.class)
|
|
||||||
.isThrownBy(() -> this.tokenResponseClient.getTokenResponse(new OAuth2AuthorizationCodeGrantRequest(
|
|
||||||
this.clientRegistrationBuilder.build(), this.authorizationExchange)));
|
|
||||||
}
|
|
||||||
|
|
||||||
@Test
|
|
||||||
public void getTokenResponseWhenErrorResponseThenThrowOAuth2AuthorizationException() throws Exception {
|
|
||||||
MockWebServer server = new MockWebServer();
|
|
||||||
// @formatter:off
|
|
||||||
String accessTokenErrorResponse = "{\n"
|
|
||||||
+ " \"error\": \"unauthorized_client\"\n"
|
|
||||||
+ "}\n";
|
|
||||||
// @formatter:on
|
|
||||||
server.enqueue(new MockResponse().setHeader(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE)
|
|
||||||
.setResponseCode(500).setBody(accessTokenErrorResponse));
|
|
||||||
server.start();
|
|
||||||
String tokenUri = server.url("/oauth2/token").toString();
|
|
||||||
this.clientRegistrationBuilder.tokenUri(tokenUri);
|
|
||||||
try {
|
|
||||||
assertThatExceptionOfType(OAuth2AuthorizationException.class)
|
|
||||||
.isThrownBy(() -> this.tokenResponseClient.getTokenResponse(new OAuth2AuthorizationCodeGrantRequest(
|
|
||||||
this.clientRegistrationBuilder.build(), this.authorizationExchange)))
|
|
||||||
.withMessageContaining("unauthorized_client");
|
|
||||||
}
|
|
||||||
finally {
|
|
||||||
server.shutdown();
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// gh-5594
|
|
||||||
@Test
|
|
||||||
public void getTokenResponseWhenServerErrorResponseThenThrowOAuth2AuthorizationException() throws Exception {
|
|
||||||
MockWebServer server = new MockWebServer();
|
|
||||||
server.enqueue(new MockResponse().setResponseCode(500));
|
|
||||||
server.start();
|
|
||||||
String tokenUri = server.url("/oauth2/token").toString();
|
|
||||||
this.clientRegistrationBuilder.tokenUri(tokenUri);
|
|
||||||
try {
|
|
||||||
assertThatExceptionOfType(OAuth2AuthorizationException.class)
|
|
||||||
.isThrownBy(() -> this.tokenResponseClient.getTokenResponse(new OAuth2AuthorizationCodeGrantRequest(
|
|
||||||
this.clientRegistrationBuilder.build(), this.authorizationExchange)))
|
|
||||||
.withMessageContaining("server_error");
|
|
||||||
}
|
|
||||||
finally {
|
|
||||||
server.shutdown();
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
@Test
|
|
||||||
public void getTokenResponseWhenSuccessResponseAndNotBearerTokenTypeThenThrowOAuth2AuthorizationException()
|
|
||||||
throws Exception {
|
|
||||||
MockWebServer server = new MockWebServer();
|
|
||||||
// @formatter:off
|
|
||||||
String accessTokenSuccessResponse = "{\n"
|
|
||||||
+ " \"access_token\": \"access-token-1234\",\n"
|
|
||||||
+ " \"token_type\": \"not-bearer\",\n"
|
|
||||||
+ " \"expires_in\": \"3600\"\n"
|
|
||||||
+ "}\n";
|
|
||||||
// @formatter:on
|
|
||||||
server.enqueue(new MockResponse().setHeader(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE)
|
|
||||||
.setBody(accessTokenSuccessResponse));
|
|
||||||
server.start();
|
|
||||||
String tokenUri = server.url("/oauth2/token").toString();
|
|
||||||
this.clientRegistrationBuilder.tokenUri(tokenUri);
|
|
||||||
try {
|
|
||||||
assertThatExceptionOfType(OAuth2AuthorizationException.class)
|
|
||||||
.isThrownBy(() -> this.tokenResponseClient.getTokenResponse(new OAuth2AuthorizationCodeGrantRequest(
|
|
||||||
this.clientRegistrationBuilder.build(), this.authorizationExchange)))
|
|
||||||
.withMessageContaining("invalid_token_response");
|
|
||||||
}
|
|
||||||
finally {
|
|
||||||
server.shutdown();
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
@Test
|
|
||||||
public void getTokenResponseWhenSuccessResponseIncludesScopeThenReturnAccessTokenResponseUsingResponseScope()
|
|
||||||
throws Exception {
|
|
||||||
MockWebServer server = new MockWebServer();
|
|
||||||
// @formatter:off
|
|
||||||
String accessTokenSuccessResponse = "{\n"
|
|
||||||
+ " \"access_token\": \"access-token-1234\",\n"
|
|
||||||
+ " \"token_type\": \"bearer\",\n"
|
|
||||||
+ " \"expires_in\": \"3600\",\n"
|
|
||||||
+ " \"scope\": \"openid profile\"\n"
|
|
||||||
+ "}\n";
|
|
||||||
// @formatter:on
|
|
||||||
server.enqueue(new MockResponse().setHeader(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE)
|
|
||||||
.setBody(accessTokenSuccessResponse));
|
|
||||||
server.start();
|
|
||||||
String tokenUri = server.url("/oauth2/token").toString();
|
|
||||||
this.clientRegistrationBuilder.tokenUri(tokenUri);
|
|
||||||
OAuth2AuthorizationRequest authorizationRequest = TestOAuth2AuthorizationRequests.request()
|
|
||||||
.scope("openid", "profile", "email", "address").build();
|
|
||||||
OAuth2AuthorizationExchange authorizationExchange = new OAuth2AuthorizationExchange(authorizationRequest,
|
|
||||||
this.authorizationResponse);
|
|
||||||
OAuth2AccessTokenResponse accessTokenResponse = this.tokenResponseClient.getTokenResponse(
|
|
||||||
new OAuth2AuthorizationCodeGrantRequest(this.clientRegistrationBuilder.build(), authorizationExchange));
|
|
||||||
server.shutdown();
|
|
||||||
assertThat(accessTokenResponse.getAccessToken().getScopes()).containsExactly("openid", "profile");
|
|
||||||
}
|
|
||||||
|
|
||||||
@Test
|
|
||||||
public void getTokenResponseWhenSuccessResponseDoesNotIncludeScopeThenReturnAccessTokenResponseUsingRequestedScope()
|
|
||||||
throws Exception {
|
|
||||||
MockWebServer server = new MockWebServer();
|
|
||||||
// @formatter:off
|
|
||||||
String accessTokenSuccessResponse = "{\n"
|
|
||||||
+ " \"access_token\": \"access-token-1234\",\n"
|
|
||||||
+ " \"token_type\": \"bearer\",\n"
|
|
||||||
+ " \"expires_in\": \"3600\"\n"
|
|
||||||
+ "}\n";
|
|
||||||
// @formatter:on
|
|
||||||
server.enqueue(new MockResponse().setHeader(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON_VALUE)
|
|
||||||
.setBody(accessTokenSuccessResponse));
|
|
||||||
server.start();
|
|
||||||
String tokenUri = server.url("/oauth2/token").toString();
|
|
||||||
this.clientRegistrationBuilder.tokenUri(tokenUri);
|
|
||||||
OAuth2AuthorizationRequest authorizationRequest = TestOAuth2AuthorizationRequests.request()
|
|
||||||
.scope("openid", "profile", "email", "address").build();
|
|
||||||
OAuth2AuthorizationExchange authorizationExchange = new OAuth2AuthorizationExchange(authorizationRequest,
|
|
||||||
this.authorizationResponse);
|
|
||||||
OAuth2AccessTokenResponse accessTokenResponse = this.tokenResponseClient.getTokenResponse(
|
|
||||||
new OAuth2AuthorizationCodeGrantRequest(this.clientRegistrationBuilder.build(), authorizationExchange));
|
|
||||||
server.shutdown();
|
|
||||||
assertThat(accessTokenResponse.getAccessToken().getScopes()).containsExactly("openid", "profile", "email",
|
|
||||||
"address");
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
|
Loading…
Reference in New Issue