diff --git a/config/src/main/java/org/springframework/security/config/oauth2/client/CommonOAuth2Provider.java b/config/src/main/java/org/springframework/security/config/oauth2/client/CommonOAuth2Provider.java new file mode 100644 index 0000000000..9d823735f2 --- /dev/null +++ b/config/src/main/java/org/springframework/security/config/oauth2/client/CommonOAuth2Provider.java @@ -0,0 +1,116 @@ +/* + * Copyright 2012-2017 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.springframework.security.config.oauth2.client; + +import org.springframework.security.oauth2.client.registration.ClientRegistration; +import org.springframework.security.oauth2.client.registration.ClientRegistration.Builder; +import org.springframework.security.oauth2.core.AuthorizationGrantType; +import org.springframework.security.oauth2.core.ClientAuthenticationMethod; +import org.springframework.security.oauth2.oidc.core.IdTokenClaim; + +/** + * Common OAuth2 Providers that can be used to create + * {@link org.springframework.security.oauth2.client.registration.ClientRegistration.Builder + * builders} pre-configured with sensible defaults. + * + * @author Phillip Webb + * @since 5.0 + */ +public enum CommonOAuth2Provider { + + GOOGLE { + + @Override + public Builder getBuilder(String registrationId) { + ClientRegistration.Builder builder = getBuilder(registrationId, + ClientAuthenticationMethod.BASIC, DEFAULT_REDIRECT_URL); + builder.scope("openid", "profile", "email", "address", "phone"); + builder.authorizationUri("https://accounts.google.com/o/oauth2/v2/auth"); + builder.tokenUri("https://www.googleapis.com/oauth2/v4/token"); + builder.jwkSetUri("https://www.googleapis.com/oauth2/v3/certs"); + builder.userInfoUri("https://www.googleapis.com/oauth2/v3/userinfo"); + builder.userNameAttributeName(IdTokenClaim.SUB); + builder.clientName("Google"); + return builder; + } + }, + + GITHUB { + + @Override + public Builder getBuilder(String registrationId) { + ClientRegistration.Builder builder = getBuilder(registrationId, + ClientAuthenticationMethod.BASIC, DEFAULT_REDIRECT_URL); + builder.scope("user"); + builder.authorizationUri("https://github.com/login/oauth/authorize"); + builder.tokenUri("https://github.com/login/oauth/access_token"); + builder.userInfoUri("https://api.github.com/user"); + builder.userNameAttributeName("name"); + builder.clientName("GitHub"); + return builder; + } + }, + + FACEBOOK { + + @Override + public Builder getBuilder(String registrationId) { + ClientRegistration.Builder builder = getBuilder(registrationId, + ClientAuthenticationMethod.POST, DEFAULT_REDIRECT_URL); + builder.scope("public_profile", "email"); + builder.authorizationUri("https://www.facebook.com/v2.8/dialog/oauth"); + builder.tokenUri("https://graph.facebook.com/v2.8/oauth/access_token"); + builder.userInfoUri("https://graph.facebook.com/me"); + builder.userNameAttributeName("name"); + builder.clientName("Facebook"); + return builder; + } + }, + + OKTA { + + @Override + public Builder getBuilder(String registrationId) { + ClientRegistration.Builder builder = getBuilder(registrationId, + ClientAuthenticationMethod.BASIC, DEFAULT_REDIRECT_URL); + builder.scope("openid", "profile", "email", "address", "phone"); + builder.userNameAttributeName(IdTokenClaim.SUB); + builder.clientName("Okta"); + return builder; + } + }; + + private static final String DEFAULT_REDIRECT_URL = "{scheme}://{serverName}:{serverPort}{contextPath}/oauth2/authorize/code/{registrationId}"; + + protected final ClientRegistration.Builder getBuilder(String registrationId, + ClientAuthenticationMethod method, String redirectUri) { + ClientRegistration.Builder builder = new ClientRegistration.Builder(registrationId); + builder.clientAuthenticationMethod(method); + builder.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE); + builder.redirectUri(redirectUri); + return builder; + } + + /** + * Create a new + * {@link org.springframework.security.oauth2.client.registration.ClientRegistration.Builder + * ClientRegistration.Builder} pre-configured with provider defaults. + * @param registrationId the registration-id used with the new builder + * @return a builder instance + */ + public abstract ClientRegistration.Builder getBuilder(String registrationId); + +} diff --git a/config/src/test/java/org/springframework/security/config/oauth2/client/CommonOAuth2ProviderTests.java b/config/src/test/java/org/springframework/security/config/oauth2/client/CommonOAuth2ProviderTests.java new file mode 100644 index 0000000000..1c135e8366 --- /dev/null +++ b/config/src/test/java/org/springframework/security/config/oauth2/client/CommonOAuth2ProviderTests.java @@ -0,0 +1,142 @@ +/* + * Copyright 2012-2017 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.springframework.security.config.oauth2.client; + +import org.junit.Test; +import org.springframework.security.oauth2.client.registration.ClientRegistration; +import org.springframework.security.oauth2.client.registration.ClientRegistration.ProviderDetails; +import org.springframework.security.oauth2.core.AuthorizationGrantType; +import org.springframework.security.oauth2.core.ClientAuthenticationMethod; +import org.springframework.security.oauth2.oidc.core.IdTokenClaim; + +import static org.assertj.core.api.Assertions.assertThat; + +/** + * Tests for {@link CommonOAuth2Provider}. + * + * @author Phillip Webb + */ +public class CommonOAuth2ProviderTests { + + private static final String DEFAULT_REDIRECT_URL = "{scheme}://{serverName}:{serverPort}{contextPath}/oauth2/authorize/code/{registrationId}"; + + @Test + public void getBuilderWhenGoogleShouldHaveGoogleSettings() throws Exception { + ClientRegistration registration = build(CommonOAuth2Provider.GOOGLE); + ProviderDetails providerDetails = registration.getProviderDetails(); + assertThat(providerDetails.getAuthorizationUri()) + .isEqualTo("https://accounts.google.com/o/oauth2/v2/auth"); + assertThat(providerDetails.getTokenUri()) + .isEqualTo("https://www.googleapis.com/oauth2/v4/token"); + assertThat(providerDetails.getUserInfoEndpoint().getUri()) + .isEqualTo("https://www.googleapis.com/oauth2/v3/userinfo"); + assertThat(providerDetails.getUserInfoEndpoint().getUserNameAttributeName()) + .isEqualTo(IdTokenClaim.SUB); + assertThat(providerDetails.getJwkSetUri()) + .isEqualTo("https://www.googleapis.com/oauth2/v3/certs"); + assertThat(registration.getClientAuthenticationMethod()) + .isEqualTo(ClientAuthenticationMethod.BASIC); + assertThat(registration.getAuthorizationGrantType()) + .isEqualTo(AuthorizationGrantType.AUTHORIZATION_CODE); + assertThat(registration.getRedirectUri()).isEqualTo(DEFAULT_REDIRECT_URL); + assertThat(registration.getScope()).containsOnly("openid", "profile", "email", + "address", "phone"); + assertThat(registration.getClientName()).isEqualTo("Google"); + assertThat(registration.getRegistrationId()).isEqualTo("123"); + } + + @Test + public void getBuilderWhenGitHubShouldHaveGitHubSettings() throws Exception { + ClientRegistration registration = build(CommonOAuth2Provider.GITHUB); + ProviderDetails providerDetails = registration.getProviderDetails(); + assertThat(providerDetails.getAuthorizationUri()) + .isEqualTo("https://github.com/login/oauth/authorize"); + assertThat(providerDetails.getTokenUri()) + .isEqualTo("https://github.com/login/oauth/access_token"); + assertThat(providerDetails.getUserInfoEndpoint().getUri()) + .isEqualTo("https://api.github.com/user"); + assertThat(providerDetails.getUserInfoEndpoint().getUserNameAttributeName()) + .isEqualTo("name"); + assertThat(providerDetails.getJwkSetUri()).isNull(); + assertThat(registration.getClientAuthenticationMethod()) + .isEqualTo(ClientAuthenticationMethod.BASIC); + assertThat(registration.getAuthorizationGrantType()) + .isEqualTo(AuthorizationGrantType.AUTHORIZATION_CODE); + assertThat(registration.getRedirectUri()).isEqualTo(DEFAULT_REDIRECT_URL); + assertThat(registration.getScope()).containsOnly("user"); + assertThat(registration.getClientName()).isEqualTo("GitHub"); + assertThat(registration.getRegistrationId()).isEqualTo("123"); + } + + @Test + public void getBuilderWhenFacebookShouldHaveFacebookSettings() throws Exception { + ClientRegistration registration = build(CommonOAuth2Provider.FACEBOOK); + ProviderDetails providerDetails = registration.getProviderDetails(); + assertThat(providerDetails.getAuthorizationUri()) + .isEqualTo("https://www.facebook.com/v2.8/dialog/oauth"); + assertThat(providerDetails.getTokenUri()) + .isEqualTo("https://graph.facebook.com/v2.8/oauth/access_token"); + assertThat(providerDetails.getUserInfoEndpoint().getUri()) + .isEqualTo("https://graph.facebook.com/me"); + assertThat(providerDetails.getUserInfoEndpoint().getUserNameAttributeName()) + .isEqualTo("name"); + assertThat(providerDetails.getJwkSetUri()).isNull(); + assertThat(registration.getClientAuthenticationMethod()) + .isEqualTo(ClientAuthenticationMethod.POST); + assertThat(registration.getAuthorizationGrantType()) + .isEqualTo(AuthorizationGrantType.AUTHORIZATION_CODE); + assertThat(registration.getRedirectUri()).isEqualTo(DEFAULT_REDIRECT_URL); + assertThat(registration.getScope()).containsOnly("public_profile", "email"); + assertThat(registration.getClientName()).isEqualTo("Facebook"); + assertThat(registration.getRegistrationId()).isEqualTo("123"); + } + + @Test + public void getBuilderWhenOktaShouldHaveOktaSettings() throws Exception { + ClientRegistration registration = builder(CommonOAuth2Provider.OKTA) + .authorizationUri("http://example.com/auth") + .tokenUri("http://example.com/token") + .userInfoUri("http://example.com/info").build(); + ProviderDetails providerDetails = registration.getProviderDetails(); + assertThat(providerDetails.getAuthorizationUri()) + .isEqualTo("http://example.com/auth"); + assertThat(providerDetails.getTokenUri()).isEqualTo("http://example.com/token"); + assertThat(providerDetails.getUserInfoEndpoint().getUri()).isEqualTo("http://example.com/info"); + assertThat(providerDetails.getUserInfoEndpoint().getUserNameAttributeName()) + .isEqualTo(IdTokenClaim.SUB); + assertThat(providerDetails.getJwkSetUri()).isNull(); + assertThat(registration.getClientAuthenticationMethod()) + .isEqualTo(ClientAuthenticationMethod.BASIC); + assertThat(registration.getAuthorizationGrantType()) + .isEqualTo(AuthorizationGrantType.AUTHORIZATION_CODE); + assertThat(registration.getRedirectUri()).isEqualTo(DEFAULT_REDIRECT_URL); + assertThat(registration.getScope()).containsOnly("openid", "profile", "email", + "address", "phone"); + assertThat(registration.getClientName()).isEqualTo("Okta"); + assertThat(registration.getRegistrationId()).isEqualTo("123"); + } + + private ClientRegistration build(CommonOAuth2Provider provider) { + return builder(provider).build(); + } + + private ClientRegistration.Builder builder(CommonOAuth2Provider provider) { + return provider.getBuilder("123") + .clientId("abcd") + .clientSecret("secret"); + } + +}