Fix scope mapping

Issue gh-12101
This commit is contained in:
Steve Riesenberg 2022-10-26 09:18:42 -05:00
parent 5dbfa57c19
commit 75004587a4
No known key found for this signature in database
GPG Key ID: 5F311AB48A55D521
13 changed files with 147 additions and 117 deletions

View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2018 the original author or authors. * Copyright 2002-2022 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -27,7 +27,6 @@ import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse; import org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse;
import org.springframework.security.oauth2.core.http.converter.OAuth2AccessTokenResponseHttpMessageConverter; import org.springframework.security.oauth2.core.http.converter.OAuth2AccessTokenResponseHttpMessageConverter;
import org.springframework.util.Assert; import org.springframework.util.Assert;
import org.springframework.util.CollectionUtils;
import org.springframework.web.client.ResponseErrorHandler; import org.springframework.web.client.ResponseErrorHandler;
import org.springframework.web.client.RestClientException; import org.springframework.web.client.RestClientException;
import org.springframework.web.client.RestOperations; import org.springframework.web.client.RestOperations;
@ -78,20 +77,12 @@ public final class DefaultAuthorizationCodeTokenResponseClient implements OAuth2
"An error occurred while attempting to retrieve the OAuth 2.0 Access Token Response: " + ex.getMessage(), null); "An error occurred while attempting to retrieve the OAuth 2.0 Access Token Response: " + ex.getMessage(), null);
throw new OAuth2AuthorizationException(oauth2Error, ex); throw new OAuth2AuthorizationException(oauth2Error, ex);
} }
OAuth2AccessTokenResponse tokenResponse = response.getBody();
if (CollectionUtils.isEmpty(tokenResponse.getAccessToken().getScopes())) {
// As per spec, in Section 5.1 Successful Access Token Response // As per spec, in Section 5.1 Successful Access Token Response
// https://tools.ietf.org/html/rfc6749#section-5.1 // https://tools.ietf.org/html/rfc6749#section-5.1
// If AccessTokenResponse.scope is empty, then default to the scope // If AccessTokenResponse.scope is empty, then we assume all requested scopes were
// originally requested by the client in the Token Request // granted.
tokenResponse = OAuth2AccessTokenResponse.withResponse(tokenResponse) // However, we use the explicit scopes returned in the response (if any).
.scopes(authorizationCodeGrantRequest.getClientRegistration().getScopes()) return response.getBody();
.build();
}
return tokenResponse;
} }
/** /**

View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2018 the original author or authors. * Copyright 2002-2022 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -27,7 +27,6 @@ import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse; import org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse;
import org.springframework.security.oauth2.core.http.converter.OAuth2AccessTokenResponseHttpMessageConverter; import org.springframework.security.oauth2.core.http.converter.OAuth2AccessTokenResponseHttpMessageConverter;
import org.springframework.util.Assert; import org.springframework.util.Assert;
import org.springframework.util.CollectionUtils;
import org.springframework.web.client.ResponseErrorHandler; import org.springframework.web.client.ResponseErrorHandler;
import org.springframework.web.client.RestClientException; import org.springframework.web.client.RestClientException;
import org.springframework.web.client.RestOperations; import org.springframework.web.client.RestOperations;
@ -78,20 +77,12 @@ public final class DefaultClientCredentialsTokenResponseClient implements OAuth2
"An error occurred while attempting to retrieve the OAuth 2.0 Access Token Response: " + ex.getMessage(), null); "An error occurred while attempting to retrieve the OAuth 2.0 Access Token Response: " + ex.getMessage(), null);
throw new OAuth2AuthorizationException(oauth2Error, ex); throw new OAuth2AuthorizationException(oauth2Error, ex);
} }
OAuth2AccessTokenResponse tokenResponse = response.getBody();
if (CollectionUtils.isEmpty(tokenResponse.getAccessToken().getScopes())) {
// As per spec, in Section 5.1 Successful Access Token Response // As per spec, in Section 5.1 Successful Access Token Response
// https://tools.ietf.org/html/rfc6749#section-5.1 // https://tools.ietf.org/html/rfc6749#section-5.1
// If AccessTokenResponse.scope is empty, then default to the scope // If AccessTokenResponse.scope is empty, then we assume all requested scopes were
// originally requested by the client in the Token Request // granted.
tokenResponse = OAuth2AccessTokenResponse.withResponse(tokenResponse) // However, we use the explicit scopes returned in the response (if any).
.scopes(clientCredentialsGrantRequest.getClientRegistration().getScopes()) return response.getBody();
.build();
}
return tokenResponse;
} }
/** /**

View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2019 the original author or authors. * Copyright 2002-2022 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -27,7 +27,6 @@ import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse; import org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse;
import org.springframework.security.oauth2.core.http.converter.OAuth2AccessTokenResponseHttpMessageConverter; import org.springframework.security.oauth2.core.http.converter.OAuth2AccessTokenResponseHttpMessageConverter;
import org.springframework.util.Assert; import org.springframework.util.Assert;
import org.springframework.util.CollectionUtils;
import org.springframework.web.client.ResponseErrorHandler; import org.springframework.web.client.ResponseErrorHandler;
import org.springframework.web.client.RestClientException; import org.springframework.web.client.RestClientException;
import org.springframework.web.client.RestOperations; import org.springframework.web.client.RestOperations;
@ -78,20 +77,12 @@ public final class DefaultPasswordTokenResponseClient implements OAuth2AccessTok
"An error occurred while attempting to retrieve the OAuth 2.0 Access Token Response: " + ex.getMessage(), null); "An error occurred while attempting to retrieve the OAuth 2.0 Access Token Response: " + ex.getMessage(), null);
throw new OAuth2AuthorizationException(oauth2Error, ex); throw new OAuth2AuthorizationException(oauth2Error, ex);
} }
OAuth2AccessTokenResponse tokenResponse = response.getBody();
if (CollectionUtils.isEmpty(tokenResponse.getAccessToken().getScopes())) {
// As per spec, in Section 5.1 Successful Access Token Response // As per spec, in Section 5.1 Successful Access Token Response
// https://tools.ietf.org/html/rfc6749#section-5.1 // https://tools.ietf.org/html/rfc6749#section-5.1
// If AccessTokenResponse.scope is empty, then default to the scope // If AccessTokenResponse.scope is empty, then we assume all requested scopes were
// originally requested by the client in the Token Request // granted.
tokenResponse = OAuth2AccessTokenResponse.withResponse(tokenResponse) // However, we use the explicit scopes returned in the response (if any).
.scopes(passwordGrantRequest.getClientRegistration().getScopes()) return response.getBody();
.build();
}
return tokenResponse;
} }
/** /**

View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2019 the original author or authors. * Copyright 2002-2022 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -79,15 +79,7 @@ public class WebClientReactiveAuthorizationCodeTokenResponseClient implements Re
}) })
.body(body) .body(body)
.exchange() .exchange()
.flatMap(response -> response.body(oauth2AccessTokenResponse())) .flatMap(response -> response.body(oauth2AccessTokenResponse()));
.map(response -> {
if (response.getAccessToken().getScopes().isEmpty()) {
response = OAuth2AccessTokenResponse.withResponse(response)
.scopes(authorizationExchange.getAuthorizationRequest().getScopes())
.build();
}
return response;
});
}); });
} }

View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2019 the original author or authors. * Copyright 2002-2022 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -82,15 +82,7 @@ public class WebClientReactiveClientCredentialsTokenResponseClient implements Re
null null
))); )));
} }
return response.body(oauth2AccessTokenResponse()); }) return response.body(oauth2AccessTokenResponse()); });
.map(response -> {
if (response.getAccessToken().getScopes().isEmpty()) {
response = OAuth2AccessTokenResponse.withResponse(response)
.scopes(authorizationGrantRequest.getClientRegistration().getScopes())
.build();
}
return response;
});
}); });
} }

View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2019 the original author or authors. * Copyright 2002-2022 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -79,18 +79,6 @@ public final class WebClientReactivePasswordTokenResponseClient implements React
.then(Mono.error(new OAuth2AuthorizationException(oauth2Error))); .then(Mono.error(new OAuth2AuthorizationException(oauth2Error)));
} }
return response.body(oauth2AccessTokenResponse()); return response.body(oauth2AccessTokenResponse());
})
.map(tokenResponse -> {
if (CollectionUtils.isEmpty(tokenResponse.getAccessToken().getScopes())) {
// As per spec, in Section 5.1 Successful Access Token Response
// https://tools.ietf.org/html/rfc6749#section-5.1
// If AccessTokenResponse.scope is empty, then default to the scope
// originally requested by the client in the Token Request
tokenResponse = OAuth2AccessTokenResponse.withResponse(tokenResponse)
.scopes(passwordGrantRequest.getClientRegistration().getScopes())
.build();
}
return tokenResponse;
}); });
}); });
} }

View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2018 the original author or authors. * Copyright 2002-2022 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -218,7 +218,7 @@ public class DefaultAuthorizationCodeTokenResponseClientTests {
} }
@Test @Test
public void getTokenResponseWhenSuccessResponseDoesNotIncludeScopeThenAccessTokenHasDefaultScope() { public void getTokenResponseWhenSuccessResponseDoesNotIncludeScopeThenAccessTokenHasNoScope() {
String accessTokenSuccessResponse = "{\n" + String accessTokenSuccessResponse = "{\n" +
" \"access_token\": \"access-token-1234\",\n" + " \"access_token\": \"access-token-1234\",\n" +
" \"token_type\": \"bearer\",\n" + " \"token_type\": \"bearer\",\n" +
@ -230,7 +230,7 @@ public class DefaultAuthorizationCodeTokenResponseClientTests {
OAuth2AccessTokenResponse accessTokenResponse = OAuth2AccessTokenResponse accessTokenResponse =
this.tokenResponseClient.getTokenResponse(this.authorizationCodeGrantRequest()); this.tokenResponseClient.getTokenResponse(this.authorizationCodeGrantRequest());
assertThat(accessTokenResponse.getAccessToken().getScopes()).containsExactly("read", "write"); assertThat(accessTokenResponse.getAccessToken().getScopes()).isEmpty();
} }
@Test @Test

View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2018 the original author or authors. * Copyright 2002-2022 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -222,7 +222,7 @@ public class DefaultClientCredentialsTokenResponseClientTests {
} }
@Test @Test
public void getTokenResponseWhenSuccessResponseDoesNotIncludeScopeThenAccessTokenHasDefaultScope() { public void getTokenResponseWhenSuccessResponseDoesNotIncludeScopeThenAccessTokenHasNoScope() {
String accessTokenSuccessResponse = "{\n" + String accessTokenSuccessResponse = "{\n" +
" \"access_token\": \"access-token-1234\",\n" + " \"access_token\": \"access-token-1234\",\n" +
" \"token_type\": \"bearer\",\n" + " \"token_type\": \"bearer\",\n" +
@ -235,7 +235,7 @@ public class DefaultClientCredentialsTokenResponseClientTests {
OAuth2AccessTokenResponse accessTokenResponse = this.tokenResponseClient.getTokenResponse(clientCredentialsGrantRequest); OAuth2AccessTokenResponse accessTokenResponse = this.tokenResponseClient.getTokenResponse(clientCredentialsGrantRequest);
assertThat(accessTokenResponse.getAccessToken().getScopes()).containsExactly("read", "write"); assertThat(accessTokenResponse.getAccessToken().getScopes()).isEmpty();
} }
@Test @Test

View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2019 the original author or authors. * Copyright 2002-2022 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -86,11 +86,14 @@ public class DefaultPasswordTokenResponseClientTests {
@Test @Test
public void getTokenResponseWhenSuccessResponseThenReturnAccessTokenResponse() throws Exception { public void getTokenResponseWhenSuccessResponseThenReturnAccessTokenResponse() throws Exception {
String accessTokenSuccessResponse = "{\n" + // @formatter:off
" \"access_token\": \"access-token-1234\",\n" + String accessTokenSuccessResponse = "{\n"
" \"token_type\": \"bearer\",\n" + + " \"access_token\": \"access-token-1234\",\n"
" \"expires_in\": \"3600\"\n" + + " \"token_type\": \"bearer\",\n"
"}\n"; + " \"expires_in\": \"3600\",\n"
+ " \"scope\": \"read write\"\n"
+ "}\n";
// @formatter:on
this.server.enqueue(jsonResponse(accessTokenSuccessResponse)); this.server.enqueue(jsonResponse(accessTokenSuccessResponse));
Instant expiresAtBefore = Instant.now().plusSeconds(3600); Instant expiresAtBefore = Instant.now().plusSeconds(3600);
@ -123,11 +126,14 @@ public class DefaultPasswordTokenResponseClientTests {
@Test @Test
public void getTokenResponseWhenClientAuthenticationPostThenFormParametersAreSent() throws Exception { public void getTokenResponseWhenClientAuthenticationPostThenFormParametersAreSent() throws Exception {
String accessTokenSuccessResponse = "{\n" + // @formatter:off
" \"access_token\": \"access-token-1234\",\n" + String accessTokenSuccessResponse = "{\n"
" \"token_type\": \"bearer\",\n" + + " \"access_token\": \"access-token-1234\",\n"
" \"expires_in\": \"3600\"\n" + + " \"token_type\": \"bearer\",\n"
"}\n"; + " \"expires_in\": \"3600\",\n"
+ " \"scope\": \"read\"\n"
+ "}\n";
// @formatter:on
this.server.enqueue(jsonResponse(accessTokenSuccessResponse)); this.server.enqueue(jsonResponse(accessTokenSuccessResponse));
ClientRegistration clientRegistration = this.clientRegistrationBuilder ClientRegistration clientRegistration = this.clientRegistrationBuilder
@ -186,6 +192,22 @@ public class DefaultPasswordTokenResponseClientTests {
assertThat(accessTokenResponse.getAccessToken().getScopes()).containsExactly("read"); assertThat(accessTokenResponse.getAccessToken().getScopes()).containsExactly("read");
} }
@Test
public void getTokenResponseWhenSuccessResponseDoesNotIncludeScopeThenAccessTokenHasNoScope() {
// @formatter:off
String accessTokenSuccessResponse = "{\n"
+ " \"access_token\": \"access-token-1234\",\n"
+ " \"token_type\": \"bearer\",\n"
+ " \"expires_in\": \"3600\"\n"
+ "}\n";
// @formatter:on
this.server.enqueue(jsonResponse(accessTokenSuccessResponse));
OAuth2PasswordGrantRequest passwordGrantRequest = new OAuth2PasswordGrantRequest(
this.clientRegistrationBuilder.build(), this.username, this.password);
OAuth2AccessTokenResponse accessTokenResponse = this.tokenResponseClient.getTokenResponse(passwordGrantRequest);
assertThat(accessTokenResponse.getAccessToken().getScopes()).isEmpty();
}
@Test @Test
public void getTokenResponseWhenErrorResponseThenThrowOAuth2AuthorizationException() { public void getTokenResponseWhenErrorResponseThenThrowOAuth2AuthorizationException() {
String accessTokenErrorResponse = "{\n" + String accessTokenErrorResponse = "{\n" +

View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2019 the original author or authors. * Copyright 2002-2022 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -88,11 +88,14 @@ public class DefaultRefreshTokenTokenResponseClientTests {
@Test @Test
public void getTokenResponseWhenSuccessResponseThenReturnAccessTokenResponse() throws Exception { public void getTokenResponseWhenSuccessResponseThenReturnAccessTokenResponse() throws Exception {
String accessTokenSuccessResponse = "{\n" + // @formatter:off
" \"access_token\": \"access-token-1234\",\n" + String accessTokenSuccessResponse = "{\n"
" \"token_type\": \"bearer\",\n" + + " \"access_token\": \"access-token-1234\",\n"
" \"expires_in\": \"3600\"\n" + + " \"token_type\": \"bearer\",\n"
"}\n"; + " \"expires_in\": \"3600\",\n"
+ " \"scope\": \"read write\"\n"
+ "}\n";
// @formatter:on
this.server.enqueue(jsonResponse(accessTokenSuccessResponse)); this.server.enqueue(jsonResponse(accessTokenSuccessResponse));
Instant expiresAtBefore = Instant.now().plusSeconds(3600); Instant expiresAtBefore = Instant.now().plusSeconds(3600);
@ -121,6 +124,26 @@ public class DefaultRefreshTokenTokenResponseClientTests {
assertThat(accessTokenResponse.getRefreshToken().getTokenValue()).isEqualTo(this.refreshToken.getTokenValue()); assertThat(accessTokenResponse.getRefreshToken().getTokenValue()).isEqualTo(this.refreshToken.getTokenValue());
} }
@Test
public void getTokenResponseWhenSuccessResponseDoesNotIncludeScopeThenAccessTokenHasOriginalScope() {
// @formatter:off
String accessTokenSuccessResponse = "{\n"
+ " \"access_token\": \"access-token-1234\",\n"
+ " \"token_type\": \"bearer\",\n"
+ " \"expires_in\": \"3600\"\n"
+ "}\n";
// @formatter:on
this.server.enqueue(jsonResponse(accessTokenSuccessResponse));
ClientRegistration clientRegistration = this.clientRegistrationBuilder
.clientAuthenticationMethod(ClientAuthenticationMethod.POST).build();
OAuth2RefreshTokenGrantRequest refreshTokenGrantRequest = new OAuth2RefreshTokenGrantRequest(clientRegistration,
this.accessToken, this.refreshToken);
OAuth2AccessTokenResponse accessTokenResponse = this.tokenResponseClient
.getTokenResponse(refreshTokenGrantRequest);
assertThat(accessTokenResponse.getAccessToken().getScopes())
.containsExactly(this.accessToken.getScopes().toArray(new String[0]));
}
@Test @Test
public void getTokenResponseWhenClientAuthenticationPostThenFormParametersAreSent() throws Exception { public void getTokenResponseWhenClientAuthenticationPostThenFormParametersAreSent() throws Exception {
String accessTokenSuccessResponse = "{\n" + String accessTokenSuccessResponse = "{\n" +

View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2019 the original author or authors. * Copyright 2002-2022 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -226,7 +226,7 @@ public class WebClientReactiveAuthorizationCodeTokenResponseClientTests {
} }
@Test @Test
public void getTokenResponseWhenSuccessResponseDoesNotIncludeScopeThenReturnAccessTokenResponseUsingRequestedScope() { public void getTokenResponseWhenSuccessResponseDoesNotIncludeScopeThenReturnAccessTokenResponseWithNoScopes() {
String accessTokenSuccessResponse = "{\n" + String accessTokenSuccessResponse = "{\n" +
" \"access_token\": \"access-token-1234\",\n" + " \"access_token\": \"access-token-1234\",\n" +
" \"token_type\": \"bearer\",\n" + " \"token_type\": \"bearer\",\n" +
@ -239,7 +239,7 @@ public class WebClientReactiveAuthorizationCodeTokenResponseClientTests {
OAuth2AccessTokenResponse accessTokenResponse = this.tokenResponseClient.getTokenResponse(authorizationCodeGrantRequest()).block(); OAuth2AccessTokenResponse accessTokenResponse = this.tokenResponseClient.getTokenResponse(authorizationCodeGrantRequest()).block();
assertThat(accessTokenResponse.getAccessToken().getScopes()).containsExactly("openid", "profile", "email", "address"); assertThat(accessTokenResponse.getAccessToken().getScopes()).isEmpty();
} }
private OAuth2AuthorizationCodeGrantRequest authorizationCodeGrantRequest() { private OAuth2AuthorizationCodeGrantRequest authorizationCodeGrantRequest() {

View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2019 the original author or authors. * Copyright 2002-2022 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -78,6 +78,7 @@ public class WebClientReactiveClientCredentialsTokenResponseClientTests {
String body = actualRequest.getUtf8Body(); String body = actualRequest.getUtf8Body();
assertThat(response.getAccessToken()).isNotNull(); assertThat(response.getAccessToken()).isNotNull();
assertThat(response.getAccessToken().getScopes()).containsExactly("create");
assertThat(actualRequest.getHeader(HttpHeaders.AUTHORIZATION)).isEqualTo("Basic Y2xpZW50LWlkOmNsaWVudC1zZWNyZXQ="); assertThat(actualRequest.getHeader(HttpHeaders.AUTHORIZATION)).isEqualTo("Basic Y2xpZW50LWlkOmNsaWVudC1zZWNyZXQ=");
assertThat(body).isEqualTo("grant_type=client_credentials&scope=read%3Auser"); assertThat(body).isEqualTo("grant_type=client_credentials&scope=read%3Auser");
} }
@ -102,12 +103,13 @@ public class WebClientReactiveClientCredentialsTokenResponseClientTests {
String body = actualRequest.getUtf8Body(); String body = actualRequest.getUtf8Body();
assertThat(response.getAccessToken()).isNotNull(); assertThat(response.getAccessToken()).isNotNull();
assertThat(response.getAccessToken().getScopes()).containsExactly("create");
assertThat(actualRequest.getHeader(HttpHeaders.AUTHORIZATION)).isNull(); assertThat(actualRequest.getHeader(HttpHeaders.AUTHORIZATION)).isNull();
assertThat(body).isEqualTo("grant_type=client_credentials&scope=read%3Auser&client_id=client-id&client_secret=client-secret"); assertThat(body).isEqualTo("grant_type=client_credentials&scope=read%3Auser&client_id=client-id&client_secret=client-secret");
} }
@Test @Test
public void getTokenResponseWhenNoScopeThenClientRegistrationScopesDefaulted() { public void getTokenResponseWhenNoScopeThenReturnAccessTokenResponseWithNoScopes() {
ClientRegistration registration = this.clientRegistration.build(); ClientRegistration registration = this.clientRegistration.build();
enqueueJson("{\n" enqueueJson("{\n"
+ " \"access_token\":\"MTQ0NjJkZmQ5OTM2NDE1ZTZjNGZmZjI3\",\n" + " \"access_token\":\"MTQ0NjJkZmQ5OTM2NDE1ZTZjNGZmZjI3\",\n"
@ -119,7 +121,7 @@ public class WebClientReactiveClientCredentialsTokenResponseClientTests {
OAuth2AccessTokenResponse response = this.client.getTokenResponse(request).block(); OAuth2AccessTokenResponse response = this.client.getTokenResponse(request).block();
assertThat(response.getAccessToken().getScopes()).isEqualTo(registration.getScopes()); assertThat(response.getAccessToken().getScopes()).isEmpty();
} }
@Test(expected=IllegalArgumentException.class) @Test(expected=IllegalArgumentException.class)

View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2019 the original author or authors. * Copyright 2002-2022 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -74,12 +74,50 @@ public class WebClientReactivePasswordTokenResponseClientTests {
} }
@Test @Test
public void getTokenResponseWhenSuccessResponseThenReturnAccessTokenResponse() throws Exception { public void getTokenResponseWhenSuccessResponseDoesNotIncludeScopeThenReturnAccessTokenResponseWithNoScope()
String accessTokenSuccessResponse = "{\n" + throws Exception {
" \"access_token\": \"access-token-1234\",\n" + // @formatter:off
" \"token_type\": \"bearer\",\n" + String accessTokenSuccessResponse = "{\n"
" \"expires_in\": \"3600\"\n" + + " \"access_token\": \"access-token-1234\",\n"
"}\n"; + " \"token_type\": \"bearer\",\n"
+ " \"expires_in\": \"3600\"\n"
+ "}\n";
// @formatter:on
this.server.enqueue(jsonResponse(accessTokenSuccessResponse));
Instant expiresAtBefore = Instant.now().plusSeconds(3600);
ClientRegistration clientRegistration = this.clientRegistrationBuilder.build();
OAuth2PasswordGrantRequest passwordGrantRequest = new OAuth2PasswordGrantRequest(clientRegistration,
this.username, this.password);
OAuth2AccessTokenResponse accessTokenResponse = this.tokenResponseClient.getTokenResponse(passwordGrantRequest)
.block();
Instant expiresAtAfter = Instant.now().plusSeconds(3600);
RecordedRequest recordedRequest = this.server.takeRequest();
assertThat(recordedRequest.getMethod()).isEqualTo(HttpMethod.POST.toString());
assertThat(recordedRequest.getHeader(HttpHeaders.ACCEPT)).isEqualTo(MediaType.APPLICATION_JSON_VALUE);
assertThat(recordedRequest.getHeader(HttpHeaders.CONTENT_TYPE))
.isEqualTo(MediaType.APPLICATION_FORM_URLENCODED_VALUE + ";charset=UTF-8");
String formParameters = recordedRequest.getBody().readUtf8();
assertThat(formParameters).contains("grant_type=password");
assertThat(formParameters).contains("username=user1");
assertThat(formParameters).contains("password=password");
assertThat(formParameters).contains("scope=read+write");
assertThat(accessTokenResponse.getAccessToken().getTokenValue()).isEqualTo("access-token-1234");
assertThat(accessTokenResponse.getAccessToken().getTokenType()).isEqualTo(OAuth2AccessToken.TokenType.BEARER);
assertThat(accessTokenResponse.getAccessToken().getExpiresAt()).isBetween(expiresAtBefore, expiresAtAfter);
assertThat(accessTokenResponse.getAccessToken().getScopes()).isEmpty();
assertThat(accessTokenResponse.getRefreshToken()).isNull();
}
@Test
public void getTokenResponseWhenSuccessResponseIncludesScopeThenReturnAccessTokenResponse() throws Exception {
// @formatter:off
String accessTokenSuccessResponse = "{\n"
+ " \"access_token\": \"access-token-1234\",\n"
+ " \"token_type\": \"bearer\",\n"
+ " \"expires_in\": \"3600\",\n"
+ " \"scope\": \"read write\"\n"
+ "}\n";
// @formatter:on
this.server.enqueue(jsonResponse(accessTokenSuccessResponse)); this.server.enqueue(jsonResponse(accessTokenSuccessResponse));
Instant expiresAtBefore = Instant.now().plusSeconds(3600); Instant expiresAtBefore = Instant.now().plusSeconds(3600);