Add OAuth2AuthorizationCodeReactiveAuthenticationManager
Issue: gh-5620
This commit is contained in:
Rob Winch
parent
f843da1942
commit
8b67154e77
|
|
@ -0,0 +1,93 @@
|
|||
/*
|
||||
* Copyright 2002-2018 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.springframework.security.oauth2.client.authentication;
|
||||
|
||||
import org.springframework.security.authentication.ReactiveAuthenticationManager;
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.oauth2.client.endpoint.OAuth2AuthorizationCodeGrantRequest;
|
||||
import org.springframework.security.oauth2.client.endpoint.ReactiveOAuth2AccessTokenResponseClient;
|
||||
import org.springframework.security.oauth2.client.registration.ClientRegistration;
|
||||
import org.springframework.security.oauth2.client.userinfo.ReactiveOAuth2UserService;
|
||||
import org.springframework.security.oauth2.core.OAuth2AccessToken;
|
||||
import org.springframework.security.oauth2.core.OAuth2RefreshToken;
|
||||
import org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse;
|
||||
import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationExchange;
|
||||
import org.springframework.security.oauth2.core.user.OAuth2User;
|
||||
import org.springframework.util.Assert;
|
||||
import reactor.core.publisher.Mono;
|
||||
|
||||
import java.util.function.Function;
|
||||
|
||||
/**
|
||||
* An implementation of an {@link org.springframework.security.authentication.AuthenticationProvider} for OAuth 2.0 Login,
|
||||
* which leverages the OAuth 2.0 Authorization Code Grant Flow.
|
||||
*
|
||||
* This {@link org.springframework.security.authentication.AuthenticationProvider} is responsible for authenticating
|
||||
* an Authorization Code credential with the Authorization Server's Token Endpoint
|
||||
* and if valid, exchanging it for an Access Token credential.
|
||||
* <p>
|
||||
* It will also obtain the user attributes of the End-User (Resource Owner)
|
||||
* from the UserInfo Endpoint using an {@link org.springframework.security.oauth2.client.userinfo.OAuth2UserService},
|
||||
* which will create a {@code Principal} in the form of an {@link OAuth2User}.
|
||||
* The {@code OAuth2User} is then associated to the {@link OAuth2LoginAuthenticationToken}
|
||||
* to complete the authentication.
|
||||
*
|
||||
* @author Rob Winch
|
||||
* @since 5.1
|
||||
* @see OAuth2LoginAuthenticationToken
|
||||
* @see ReactiveOAuth2AccessTokenResponseClient
|
||||
* @see ReactiveOAuth2UserService
|
||||
* @see OAuth2User
|
||||
* @see <a target="_blank" href="https://tools.ietf.org/html/rfc6749#section-4.1">Section 4.1 Authorization Code Grant Flow</a>
|
||||
* @see <a target="_blank" href="https://tools.ietf.org/html/rfc6749#section-4.1.3">Section 4.1.3 Access Token Request</a>
|
||||
* @see <a target="_blank" href="https://tools.ietf.org/html/rfc6749#section-4.1.4">Section 4.1.4 Access Token Response</a>
|
||||
*/
|
||||
public class OAuth2AuthorizationCodeReactiveAuthenticationManager implements
|
||||
ReactiveAuthenticationManager {
|
||||
private final ReactiveOAuth2AccessTokenResponseClient<OAuth2AuthorizationCodeGrantRequest> accessTokenResponseClient;
|
||||
|
||||
public OAuth2AuthorizationCodeReactiveAuthenticationManager(
|
||||
ReactiveOAuth2AccessTokenResponseClient<OAuth2AuthorizationCodeGrantRequest> accessTokenResponseClient) {
|
||||
Assert.notNull(accessTokenResponseClient, "accessTokenResponseClient cannot be null");
|
||||
this.accessTokenResponseClient = accessTokenResponseClient;
|
||||
}
|
||||
|
||||
@Override
|
||||
public Mono<Authentication> authenticate(Authentication authentication) {
|
||||
return Mono.defer(() -> {
|
||||
OAuth2AuthorizationCodeAuthenticationToken token = (OAuth2AuthorizationCodeAuthenticationToken) authentication;
|
||||
|
||||
OAuth2AuthorizationExchangeValidator.validate(token.getAuthorizationExchange());
|
||||
|
||||
OAuth2AuthorizationCodeGrantRequest authzRequest = new OAuth2AuthorizationCodeGrantRequest(
|
||||
token.getClientRegistration(),
|
||||
token.getAuthorizationExchange());
|
||||
|
||||
return this.accessTokenResponseClient.getTokenResponse(authzRequest)
|
||||
.map(onSuccess(token));
|
||||
});
|
||||
}
|
||||
|
||||
private Function<OAuth2AccessTokenResponse, OAuth2AuthorizationCodeAuthenticationToken> onSuccess(OAuth2AuthorizationCodeAuthenticationToken token) {
|
||||
return accessTokenResponse -> {
|
||||
ClientRegistration registration = token.getClientRegistration();
|
||||
OAuth2AuthorizationExchange exchange = token.getAuthorizationExchange();
|
||||
OAuth2AccessToken accessToken = accessTokenResponse.getAccessToken();
|
||||
OAuth2RefreshToken refreshToken = accessTokenResponse.getRefreshToken();
|
||||
return new OAuth2AuthorizationCodeAuthenticationToken(registration, exchange, accessToken, refreshToken);
|
||||
};
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,123 @@
|
|||
/*
|
||||
* Copyright 2002-2018 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.security.oauth2.client.authentication;
|
||||
|
||||
import org.junit.Before;
|
||||
import org.junit.Test;
|
||||
import org.junit.runner.RunWith;
|
||||
import org.mockito.Mock;
|
||||
import org.mockito.junit.MockitoJUnitRunner;
|
||||
import org.springframework.security.oauth2.client.endpoint.OAuth2AuthorizationCodeGrantRequest;
|
||||
import org.springframework.security.oauth2.client.endpoint.ReactiveOAuth2AccessTokenResponseClient;
|
||||
import org.springframework.security.oauth2.client.registration.ClientRegistration;
|
||||
import org.springframework.security.oauth2.client.registration.TestClientRegistrations;
|
||||
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
|
||||
import org.springframework.security.oauth2.core.OAuth2Error;
|
||||
import org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse;
|
||||
import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationExchange;
|
||||
import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
|
||||
import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationResponse;
|
||||
import org.springframework.security.oauth2.core.endpoint.TestOAuth2AccessTokenResponses;
|
||||
import org.springframework.security.oauth2.core.endpoint.TestOAuth2AuthorizationRequests;
|
||||
import org.springframework.security.oauth2.core.endpoint.TestOAuth2AuthorizationResponses;
|
||||
import reactor.core.publisher.Mono;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.assertj.core.api.Assertions.assertThatCode;
|
||||
import static org.mockito.ArgumentMatchers.any;
|
||||
import static org.powermock.api.mockito.PowerMockito.when;
|
||||
|
||||
/**
|
||||
* @author Rob Winch
|
||||
* @since 5.1
|
||||
*/
|
||||
@RunWith(MockitoJUnitRunner.class)
|
||||
public class OAuth2AuthorizationCodeReactiveAuthenticationManagerTests {
|
||||
@Mock
|
||||
private ReactiveOAuth2AccessTokenResponseClient<OAuth2AuthorizationCodeGrantRequest> accessTokenResponseClient;
|
||||
|
||||
private OAuth2AuthorizationCodeReactiveAuthenticationManager manager;
|
||||
|
||||
private ClientRegistration.Builder registration = TestClientRegistrations.clientRegistration();
|
||||
|
||||
private OAuth2AuthorizationRequest.Builder authorizationRequest = TestOAuth2AuthorizationRequests.request();
|
||||
|
||||
private OAuth2AuthorizationResponse.Builder authorizationResponse = TestOAuth2AuthorizationResponses.success();
|
||||
|
||||
private OAuth2AccessTokenResponse.Builder tokenResponse = TestOAuth2AccessTokenResponses
|
||||
.accessTokenResponse();
|
||||
|
||||
@Before
|
||||
public void setup() {
|
||||
this.manager = new OAuth2AuthorizationCodeReactiveAuthenticationManager(this.accessTokenResponseClient);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void authenticateWhenErrorThenOAuth2AuthenticationException() {
|
||||
this.authorizationResponse = TestOAuth2AuthorizationResponses.error();
|
||||
assertThatCode(() -> authenticate())
|
||||
.isInstanceOf(OAuth2AuthenticationException.class);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void authenticateWhenStateNotEqualThenOAuth2AuthenticationException() {
|
||||
this.authorizationRequest.state("notequal");
|
||||
assertThatCode(() -> authenticate())
|
||||
.isInstanceOf(OAuth2AuthenticationException.class);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void authenticateWhenRedirectUriNotEqualThenOAuth2AuthenticationException() {
|
||||
this.authorizationRequest.redirectUri("https://example.org/notequal");
|
||||
assertThatCode(() -> authenticate())
|
||||
.isInstanceOf(OAuth2AuthenticationException.class);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void authenticateWhenValidThenSuccess() {
|
||||
when(this.accessTokenResponseClient.getTokenResponse(any())).thenReturn(Mono.just(this.tokenResponse.build()));
|
||||
|
||||
OAuth2AuthorizationCodeAuthenticationToken result = authenticate();
|
||||
|
||||
assertThat(result).isNotNull();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void authenticateWhenEmptyThenEmpty() {
|
||||
when(this.accessTokenResponseClient.getTokenResponse(any())).thenReturn(Mono.empty());
|
||||
|
||||
OAuth2AuthorizationCodeAuthenticationToken result = authenticate();
|
||||
|
||||
assertThat(result).isNull();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void authenticateWhenOAuth2AuthenticationExceptionThenOAuth2AuthenticationException() {
|
||||
when(this.accessTokenResponseClient.getTokenResponse(any())).thenReturn(Mono.error(() -> new OAuth2AuthenticationException(new OAuth2Error("error"))));
|
||||
|
||||
assertThatCode(() -> authenticate())
|
||||
.isInstanceOf(OAuth2AuthenticationException.class);
|
||||
}
|
||||
|
||||
private OAuth2AuthorizationCodeAuthenticationToken authenticate() {
|
||||
OAuth2AuthorizationExchange exchange = new OAuth2AuthorizationExchange(
|
||||
this.authorizationRequest.build(), this.authorizationResponse.build());
|
||||
OAuth2AuthorizationCodeAuthenticationToken token = new OAuth2AuthorizationCodeAuthenticationToken(
|
||||
this.registration.build(), exchange);
|
||||
return (OAuth2AuthorizationCodeAuthenticationToken) this.manager.authenticate(token).block();
|
||||
}
|
||||
}
|
||||
Loading…
Reference in New Issue