Joe Grandja
parent
34668e05af
commit
9afefef3b9
|
|
@ -78,7 +78,7 @@ final class FilterComparator implements Comparator<Filter>, Serializable {
|
|||
put(LogoutFilter.class, order);
|
||||
order += STEP;
|
||||
filterToOrder.put(
|
||||
"org.springframework.security.oauth2.client.web.AuthorizationRequestRedirectFilter",
|
||||
"org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter",
|
||||
order);
|
||||
order += STEP;
|
||||
put(X509AuthenticationFilter.class, order);
|
||||
|
|
|
|||
|
|
@ -1014,7 +1014,7 @@ public final class HttpSecurity extends
|
|||
* }
|
||||
*
|
||||
* @Bean
|
||||
* public AuthorizationGrantTokenExchanger<AuthorizationCodeAuthenticationToken> authorizationCodeTokenExchanger() {
|
||||
* public AuthorizationGrantTokenExchanger<OAuth2AuthorizationCodeAuthenticationToken> authorizationCodeTokenExchanger() {
|
||||
* // Custom implementation that exchanges an "Authorization Code Grant" for an "Access Token"
|
||||
* return new AuthorizationCodeTokenExchangerImpl();
|
||||
* }
|
||||
|
|
|
|||
|
|
@ -19,7 +19,7 @@ import org.springframework.context.ApplicationContext;
|
|||
import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
|
||||
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
|
||||
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
|
||||
import org.springframework.security.oauth2.client.web.AuthorizationRequestRedirectFilter;
|
||||
import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter;
|
||||
import org.springframework.security.oauth2.client.endpoint.AuthorizationRequestUriBuilder;
|
||||
import org.springframework.util.Assert;
|
||||
|
||||
|
|
@ -55,7 +55,7 @@ public final class ImplicitGrantConfigurer<B extends HttpSecurityBuilder<B>> ext
|
|||
|
||||
@Override
|
||||
public void configure(B http) throws Exception {
|
||||
AuthorizationRequestRedirectFilter authorizationRequestFilter = new AuthorizationRequestRedirectFilter(
|
||||
OAuth2AuthorizationRequestRedirectFilter authorizationRequestFilter = new OAuth2AuthorizationRequestRedirectFilter(
|
||||
this.getAuthorizationRequestBaseUri(), this.getClientRegistrationRepository());
|
||||
if (this.authorizationRequestUriBuilder != null) {
|
||||
authorizationRequestFilter.setAuthorizationRequestUriBuilder(this.authorizationRequestUriBuilder);
|
||||
|
|
@ -66,7 +66,7 @@ public final class ImplicitGrantConfigurer<B extends HttpSecurityBuilder<B>> ext
|
|||
private String getAuthorizationRequestBaseUri() {
|
||||
return this.authorizationRequestBaseUri != null ?
|
||||
this.authorizationRequestBaseUri :
|
||||
AuthorizationRequestRedirectFilter.DEFAULT_AUTHORIZATION_REQUEST_BASE_URI;
|
||||
OAuth2AuthorizationRequestRedirectFilter.DEFAULT_AUTHORIZATION_REQUEST_BASE_URI;
|
||||
}
|
||||
|
||||
private ClientRegistrationRepository getClientRegistrationRepository() {
|
||||
|
|
|
|||
|
|
@ -21,7 +21,7 @@ import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
|
|||
import org.springframework.security.config.annotation.web.configurers.AbstractAuthenticationFilterConfigurer;
|
||||
import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
|
||||
import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
|
||||
import org.springframework.security.oauth2.client.authentication.AuthorizationCodeAuthenticationToken;
|
||||
import org.springframework.security.oauth2.client.authentication.OAuth2AuthorizationCodeAuthenticationToken;
|
||||
import org.springframework.security.oauth2.client.authentication.AuthorizationGrantTokenExchanger;
|
||||
import org.springframework.security.oauth2.client.authentication.NimbusAuthorizationCodeTokenExchanger;
|
||||
import org.springframework.security.oauth2.client.authentication.OAuth2LoginAuthenticationProvider;
|
||||
|
|
@ -39,7 +39,7 @@ import org.springframework.security.oauth2.client.userinfo.CustomUserTypesOAuth2
|
|||
import org.springframework.security.oauth2.client.userinfo.DefaultOAuth2UserService;
|
||||
import org.springframework.security.oauth2.client.userinfo.DelegatingOAuth2UserService;
|
||||
import org.springframework.security.oauth2.client.userinfo.OAuth2UserService;
|
||||
import org.springframework.security.oauth2.client.web.AuthorizationRequestRedirectFilter;
|
||||
import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter;
|
||||
import org.springframework.security.oauth2.client.web.AuthorizationRequestRepository;
|
||||
import org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter;
|
||||
import org.springframework.security.oauth2.core.OAuth2AccessToken;
|
||||
|
|
@ -133,7 +133,7 @@ public final class OAuth2LoginConfigurer<B extends HttpSecurityBuilder<B>> exten
|
|||
}
|
||||
|
||||
public class TokenEndpointConfig {
|
||||
private AuthorizationGrantTokenExchanger<AuthorizationCodeAuthenticationToken> authorizationCodeTokenExchanger;
|
||||
private AuthorizationGrantTokenExchanger<OAuth2AuthorizationCodeAuthenticationToken> authorizationCodeTokenExchanger;
|
||||
private OAuth2TokenRepository<OAuth2AccessToken> accessTokenRepository;
|
||||
private JwtDecoderRegistry jwtDecoderRegistry;
|
||||
|
||||
|
|
@ -141,7 +141,7 @@ public final class OAuth2LoginConfigurer<B extends HttpSecurityBuilder<B>> exten
|
|||
}
|
||||
|
||||
public TokenEndpointConfig authorizationCodeTokenExchanger(
|
||||
AuthorizationGrantTokenExchanger<AuthorizationCodeAuthenticationToken> authorizationCodeTokenExchanger) {
|
||||
AuthorizationGrantTokenExchanger<OAuth2AuthorizationCodeAuthenticationToken> authorizationCodeTokenExchanger) {
|
||||
|
||||
Assert.notNull(authorizationCodeTokenExchanger, "authorizationCodeTokenExchanger cannot be null");
|
||||
this.authorizationCodeTokenExchanger = authorizationCodeTokenExchanger;
|
||||
|
|
@ -226,7 +226,7 @@ public final class OAuth2LoginConfigurer<B extends HttpSecurityBuilder<B>> exten
|
|||
public void init(B http) throws Exception {
|
||||
super.init(http);
|
||||
|
||||
AuthorizationGrantTokenExchanger<AuthorizationCodeAuthenticationToken> authorizationCodeTokenExchanger =
|
||||
AuthorizationGrantTokenExchanger<OAuth2AuthorizationCodeAuthenticationToken> authorizationCodeTokenExchanger =
|
||||
this.tokenEndpointConfig.authorizationCodeTokenExchanger;
|
||||
if (authorizationCodeTokenExchanger == null) {
|
||||
authorizationCodeTokenExchanger = new NimbusAuthorizationCodeTokenExchanger();
|
||||
|
|
@ -274,10 +274,10 @@ public final class OAuth2LoginConfigurer<B extends HttpSecurityBuilder<B>> exten
|
|||
public void configure(B http) throws Exception {
|
||||
String authorizationRequestBaseUri = this.authorizationEndpointConfig.authorizationRequestBaseUri;
|
||||
if (authorizationRequestBaseUri == null) {
|
||||
authorizationRequestBaseUri = AuthorizationRequestRedirectFilter.DEFAULT_AUTHORIZATION_REQUEST_BASE_URI;
|
||||
authorizationRequestBaseUri = OAuth2AuthorizationRequestRedirectFilter.DEFAULT_AUTHORIZATION_REQUEST_BASE_URI;
|
||||
}
|
||||
|
||||
AuthorizationRequestRedirectFilter authorizationRequestFilter = new AuthorizationRequestRedirectFilter(
|
||||
OAuth2AuthorizationRequestRedirectFilter authorizationRequestFilter = new OAuth2AuthorizationRequestRedirectFilter(
|
||||
authorizationRequestBaseUri, this.getClientRegistrationRepository());
|
||||
if (this.authorizationEndpointConfig.authorizationRequestUriBuilder != null) {
|
||||
authorizationRequestFilter.setAuthorizationRequestUriBuilder(
|
||||
|
|
@ -341,7 +341,7 @@ public final class OAuth2LoginConfigurer<B extends HttpSecurityBuilder<B>> exten
|
|||
|
||||
String authorizationRequestBaseUri = this.authorizationEndpointConfig.authorizationRequestBaseUri != null ?
|
||||
this.authorizationEndpointConfig.authorizationRequestBaseUri :
|
||||
AuthorizationRequestRedirectFilter.DEFAULT_AUTHORIZATION_REQUEST_BASE_URI;
|
||||
OAuth2AuthorizationRequestRedirectFilter.DEFAULT_AUTHORIZATION_REQUEST_BASE_URI;
|
||||
Map<String, String> authenticationUrlToClientName = new HashMap<>();
|
||||
|
||||
clientRegistrations.forEach(registration -> authenticationUrlToClientName.put(
|
||||
|
|
|
|||
|
|
@ -31,11 +31,11 @@ import java.util.Collections;
|
|||
* @see AuthorizationGrantType
|
||||
* @see <a target="_blank" href="https://tools.ietf.org/html/rfc6749#section-1.3">Section 1.3 Authorization Grant</a>
|
||||
*/
|
||||
public abstract class AuthorizationGrantAuthenticationToken extends AbstractAuthenticationToken {
|
||||
public abstract class AbstractOAuth2AuthorizationGrantAuthenticationToken extends AbstractAuthenticationToken {
|
||||
private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
|
||||
private final AuthorizationGrantType authorizationGrantType;
|
||||
|
||||
protected AuthorizationGrantAuthenticationToken(AuthorizationGrantType authorizationGrantType) {
|
||||
protected AbstractOAuth2AuthorizationGrantAuthenticationToken(AuthorizationGrantType authorizationGrantType) {
|
||||
super(Collections.emptyList());
|
||||
Assert.notNull(authorizationGrantType, "authorizationGrantType cannot be null");
|
||||
this.authorizationGrantType = authorizationGrantType;
|
||||
|
|
@ -28,13 +28,13 @@ import org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenRespon
|
|||
* @author Joe Grandja
|
||||
* @since 5.0
|
||||
* @see AuthorizationGrantType
|
||||
* @see AuthorizationGrantAuthenticationToken
|
||||
* @see AbstractOAuth2AuthorizationGrantAuthenticationToken
|
||||
* @see OAuth2AccessTokenResponse
|
||||
* @see <a target="_blank" href="https://tools.ietf.org/html/rfc6749#section-1.3">Section 1.3 Authorization Grant</a>
|
||||
* @see <a target="_blank" href="https://tools.ietf.org/html/rfc6749#section-4.1.3">Section 4.1.3 Access Token Request (Authorization Code Grant)</a>
|
||||
* @see <a target="_blank" href="https://tools.ietf.org/html/rfc6749#section-4.1.4">Section 4.1.4 Access Token Response (Authorization Code Grant)</a>
|
||||
*/
|
||||
public interface AuthorizationGrantTokenExchanger<T extends AuthorizationGrantAuthenticationToken> {
|
||||
public interface AuthorizationGrantTokenExchanger<T extends AbstractOAuth2AuthorizationGrantAuthenticationToken> {
|
||||
|
||||
OAuth2AccessTokenResponse exchange(T authorizationGrantAuthentication) throws OAuth2AuthenticationException;
|
||||
|
||||
|
|
|
|||
|
|
@ -58,17 +58,17 @@ import java.util.Set;
|
|||
* @author Joe Grandja
|
||||
* @since 5.0
|
||||
* @see AuthorizationGrantTokenExchanger
|
||||
* @see AuthorizationCodeAuthenticationToken
|
||||
* @see OAuth2AuthorizationCodeAuthenticationToken
|
||||
* @see OAuth2AccessTokenResponse
|
||||
* @see <a target="_blank" href="https://connect2id.com/products/nimbus-oauth-openid-connect-sdk">Nimbus OAuth 2.0 SDK</a>
|
||||
* @see <a target="_blank" href="https://tools.ietf.org/html/rfc6749#section-4.1.3">Section 4.1.3 Access Token Request (Authorization Code Grant)</a>
|
||||
* @see <a target="_blank" href="https://tools.ietf.org/html/rfc6749#section-4.1.4">Section 4.1.4 Access Token Response (Authorization Code Grant)</a>
|
||||
*/
|
||||
public class NimbusAuthorizationCodeTokenExchanger implements AuthorizationGrantTokenExchanger<AuthorizationCodeAuthenticationToken> {
|
||||
public class NimbusAuthorizationCodeTokenExchanger implements AuthorizationGrantTokenExchanger<OAuth2AuthorizationCodeAuthenticationToken> {
|
||||
private static final String INVALID_TOKEN_RESPONSE_ERROR_CODE = "invalid_token_response";
|
||||
|
||||
@Override
|
||||
public OAuth2AccessTokenResponse exchange(AuthorizationCodeAuthenticationToken authorizationCodeAuthentication)
|
||||
public OAuth2AccessTokenResponse exchange(OAuth2AuthorizationCodeAuthenticationToken authorizationCodeAuthentication)
|
||||
throws OAuth2AuthenticationException {
|
||||
|
||||
ClientRegistration clientRegistration = authorizationCodeAuthentication.getClientRegistration();
|
||||
|
|
|
|||
|
|
@ -23,23 +23,23 @@ import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationResp
|
|||
import org.springframework.util.Assert;
|
||||
|
||||
/**
|
||||
* An implementation of an {@link AuthorizationGrantAuthenticationToken} that holds
|
||||
* An implementation of an {@link AbstractOAuth2AuthorizationGrantAuthenticationToken} that holds
|
||||
* an <i>authorization code grant</i> credential for a specific client identified in {@link #getClientRegistration()}.
|
||||
*
|
||||
* @author Joe Grandja
|
||||
* @since 5.0
|
||||
* @see AuthorizationGrantAuthenticationToken
|
||||
* @see AbstractOAuth2AuthorizationGrantAuthenticationToken
|
||||
* @see ClientRegistration
|
||||
* @see OAuth2AuthorizationRequest
|
||||
* @see OAuth2AuthorizationResponse
|
||||
* @see <a target="_blank" href="https://tools.ietf.org/html/rfc6749#section-1.3.1">Section 1.3.1 Authorization Code Grant</a>
|
||||
*/
|
||||
public class AuthorizationCodeAuthenticationToken extends AuthorizationGrantAuthenticationToken {
|
||||
public class OAuth2AuthorizationCodeAuthenticationToken extends AbstractOAuth2AuthorizationGrantAuthenticationToken {
|
||||
private final ClientRegistration clientRegistration;
|
||||
private final OAuth2AuthorizationExchange authorizationExchange;
|
||||
|
||||
public AuthorizationCodeAuthenticationToken(ClientRegistration clientRegistration,
|
||||
OAuth2AuthorizationExchange authorizationExchange) {
|
||||
public OAuth2AuthorizationCodeAuthenticationToken(ClientRegistration clientRegistration,
|
||||
OAuth2AuthorizationExchange authorizationExchange) {
|
||||
|
||||
super(AuthorizationGrantType.AUTHORIZATION_CODE);
|
||||
Assert.notNull(clientRegistration, "clientRegistration cannot be null");
|
||||
|
|
@ -47,7 +47,7 @@ import java.util.Collection;
|
|||
*
|
||||
* @author Joe Grandja
|
||||
* @since 5.0
|
||||
* @see AuthorizationCodeAuthenticationToken
|
||||
* @see OAuth2AuthorizationCodeAuthenticationToken
|
||||
* @see OAuth2AuthenticationToken
|
||||
* @see OAuth2UserService
|
||||
* @see OAuth2AuthorizedClient
|
||||
|
|
@ -59,12 +59,12 @@ import java.util.Collection;
|
|||
public class OAuth2LoginAuthenticationProvider implements AuthenticationProvider {
|
||||
private static final String INVALID_STATE_PARAMETER_ERROR_CODE = "invalid_state_parameter";
|
||||
private static final String INVALID_REDIRECT_URI_PARAMETER_ERROR_CODE = "invalid_redirect_uri_parameter";
|
||||
private final AuthorizationGrantTokenExchanger<AuthorizationCodeAuthenticationToken> authorizationCodeTokenExchanger;
|
||||
private final AuthorizationGrantTokenExchanger<OAuth2AuthorizationCodeAuthenticationToken> authorizationCodeTokenExchanger;
|
||||
private final OAuth2UserService<OAuth2AuthorizedClient, OAuth2User> userService;
|
||||
private GrantedAuthoritiesMapper authoritiesMapper = (authorities -> authorities);
|
||||
|
||||
public OAuth2LoginAuthenticationProvider(
|
||||
AuthorizationGrantTokenExchanger<AuthorizationCodeAuthenticationToken> authorizationCodeTokenExchanger,
|
||||
AuthorizationGrantTokenExchanger<OAuth2AuthorizationCodeAuthenticationToken> authorizationCodeTokenExchanger,
|
||||
OAuth2UserService<OAuth2AuthorizedClient, OAuth2User> userService) {
|
||||
|
||||
Assert.notNull(authorizationCodeTokenExchanger, "authorizationCodeTokenExchanger cannot be null");
|
||||
|
|
@ -75,8 +75,8 @@ public class OAuth2LoginAuthenticationProvider implements AuthenticationProvider
|
|||
|
||||
@Override
|
||||
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
|
||||
AuthorizationCodeAuthenticationToken authorizationCodeAuthentication =
|
||||
(AuthorizationCodeAuthenticationToken) authentication;
|
||||
OAuth2AuthorizationCodeAuthenticationToken authorizationCodeAuthentication =
|
||||
(OAuth2AuthorizationCodeAuthenticationToken) authentication;
|
||||
|
||||
// Section 3.1.2.1 Authentication Request - http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
|
||||
// scope
|
||||
|
|
@ -141,6 +141,6 @@ public class OAuth2LoginAuthenticationProvider implements AuthenticationProvider
|
|||
|
||||
@Override
|
||||
public boolean supports(Class<?> authentication) {
|
||||
return AuthorizationCodeAuthenticationToken.class.isAssignableFrom(authentication);
|
||||
return OAuth2AuthorizationCodeAuthenticationToken.class.isAssignableFrom(authentication);
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -34,7 +34,7 @@ import java.util.Set;
|
|||
* @see <a target="_blank" href="https://tools.ietf.org/html/rfc6749#section-4.1.1">Section 4.1.1 Authorization Code Grant Request</a>
|
||||
* @see <a target="_blank" href="https://tools.ietf.org/html/rfc6749#section-4.2.1">Section 4.2.1 Implicit Grant Request</a>
|
||||
*/
|
||||
public class DefaultAuthorizationRequestUriBuilder implements AuthorizationRequestUriBuilder {
|
||||
public class OAuth2AuthorizationRequestUriBuilder implements AuthorizationRequestUriBuilder {
|
||||
|
||||
@Override
|
||||
public URI build(OAuth2AuthorizationRequest authorizationRequest) {
|
||||
|
|
@ -20,7 +20,7 @@ import org.springframework.security.core.Authentication;
|
|||
import org.springframework.security.core.AuthenticationException;
|
||||
import org.springframework.security.core.GrantedAuthority;
|
||||
import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
|
||||
import org.springframework.security.oauth2.client.authentication.AuthorizationCodeAuthenticationToken;
|
||||
import org.springframework.security.oauth2.client.authentication.OAuth2AuthorizationCodeAuthenticationToken;
|
||||
import org.springframework.security.oauth2.client.authentication.AuthorizationGrantTokenExchanger;
|
||||
import org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken;
|
||||
import org.springframework.security.oauth2.client.jwt.JwtDecoderRegistry;
|
||||
|
|
@ -62,7 +62,7 @@ import java.util.List;
|
|||
*
|
||||
* @author Joe Grandja
|
||||
* @since 5.0
|
||||
* @see AuthorizationCodeAuthenticationToken
|
||||
* @see OAuth2AuthorizationCodeAuthenticationToken
|
||||
* @see OAuth2AuthenticationToken
|
||||
* @see OidcUserService
|
||||
* @see OidcAuthorizedClient
|
||||
|
|
@ -75,13 +75,13 @@ public class OidcAuthorizationCodeAuthenticationProvider implements Authenticati
|
|||
private static final String INVALID_STATE_PARAMETER_ERROR_CODE = "invalid_state_parameter";
|
||||
private static final String INVALID_REDIRECT_URI_PARAMETER_ERROR_CODE = "invalid_redirect_uri_parameter";
|
||||
private static final String INVALID_ID_TOKEN_ERROR_CODE = "invalid_id_token";
|
||||
private final AuthorizationGrantTokenExchanger<AuthorizationCodeAuthenticationToken> authorizationCodeTokenExchanger;
|
||||
private final AuthorizationGrantTokenExchanger<OAuth2AuthorizationCodeAuthenticationToken> authorizationCodeTokenExchanger;
|
||||
private final OAuth2UserService<OidcAuthorizedClient, OidcUser> userService;
|
||||
private final JwtDecoderRegistry jwtDecoderRegistry;
|
||||
private GrantedAuthoritiesMapper authoritiesMapper = (authorities -> authorities);
|
||||
|
||||
public OidcAuthorizationCodeAuthenticationProvider(
|
||||
AuthorizationGrantTokenExchanger<AuthorizationCodeAuthenticationToken> authorizationCodeTokenExchanger,
|
||||
AuthorizationGrantTokenExchanger<OAuth2AuthorizationCodeAuthenticationToken> authorizationCodeTokenExchanger,
|
||||
OAuth2UserService<OidcAuthorizedClient, OidcUser> userService,
|
||||
JwtDecoderRegistry jwtDecoderRegistry) {
|
||||
|
||||
|
|
@ -95,8 +95,8 @@ public class OidcAuthorizationCodeAuthenticationProvider implements Authenticati
|
|||
|
||||
@Override
|
||||
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
|
||||
AuthorizationCodeAuthenticationToken authorizationCodeAuthentication =
|
||||
(AuthorizationCodeAuthenticationToken) authentication;
|
||||
OAuth2AuthorizationCodeAuthenticationToken authorizationCodeAuthentication =
|
||||
(OAuth2AuthorizationCodeAuthenticationToken) authentication;
|
||||
|
||||
// Section 3.1.2.1 Authentication Request - http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
|
||||
// scope
|
||||
|
|
@ -179,7 +179,7 @@ public class OidcAuthorizationCodeAuthenticationProvider implements Authenticati
|
|||
|
||||
@Override
|
||||
public boolean supports(Class<?> authentication) {
|
||||
return AuthorizationCodeAuthenticationToken.class.isAssignableFrom(authentication);
|
||||
return OAuth2AuthorizationCodeAuthenticationToken.class.isAssignableFrom(authentication);
|
||||
}
|
||||
|
||||
private void validateIdToken(OidcIdToken idToken, ClientRegistration clientRegistration) {
|
||||
|
|
|
|||
|
|
@ -25,7 +25,7 @@ import javax.servlet.http.HttpServletResponse;
|
|||
* of {@link OAuth2AuthorizationRequest} between requests.
|
||||
*
|
||||
* <p>
|
||||
* Used by the {@link AuthorizationRequestRedirectFilter} for persisting the <i>Authorization Request</i>
|
||||
* Used by the {@link OAuth2AuthorizationRequestRedirectFilter} for persisting the <i>Authorization Request</i>
|
||||
* before it initiates the authorization code grant flow.
|
||||
* As well, used by the {@link OAuth2LoginAuthenticationFilter} for resolving
|
||||
* the associated <i>Authorization Request</i> when handling the <i>Authorization Response</i>.
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@ package org.springframework.security.oauth2.client.web;
|
|||
import org.springframework.http.HttpStatus;
|
||||
import org.springframework.security.crypto.keygen.Base64StringKeyGenerator;
|
||||
import org.springframework.security.crypto.keygen.StringKeyGenerator;
|
||||
import org.springframework.security.oauth2.client.endpoint.DefaultAuthorizationRequestUriBuilder;
|
||||
import org.springframework.security.oauth2.client.endpoint.OAuth2AuthorizationRequestUriBuilder;
|
||||
import org.springframework.security.oauth2.client.registration.ClientRegistration;
|
||||
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
|
||||
import org.springframework.security.oauth2.core.AuthorizationGrantType;
|
||||
|
|
@ -65,21 +65,21 @@ import java.util.Map;
|
|||
* @see <a target="_blank" href="https://tools.ietf.org/html/rfc6749#section-4.2">Section 4.2 Implicit Grant</a>
|
||||
* @see <a target="_blank" href="https://tools.ietf.org/html/rfc6749#section-4.2.1">Section 4.2.1 Authorization Request (Implicit)</a>
|
||||
*/
|
||||
public class AuthorizationRequestRedirectFilter extends OncePerRequestFilter {
|
||||
public class OAuth2AuthorizationRequestRedirectFilter extends OncePerRequestFilter {
|
||||
public static final String DEFAULT_AUTHORIZATION_REQUEST_BASE_URI = "/oauth2/authorization";
|
||||
private static final String REGISTRATION_ID_URI_VARIABLE_NAME = "registrationId";
|
||||
private final AntPathRequestMatcher authorizationRequestMatcher;
|
||||
private final ClientRegistrationRepository clientRegistrationRepository;
|
||||
private AuthorizationRequestUriBuilder authorizationRequestUriBuilder = new DefaultAuthorizationRequestUriBuilder();
|
||||
private AuthorizationRequestUriBuilder authorizationRequestUriBuilder = new OAuth2AuthorizationRequestUriBuilder();
|
||||
private final RedirectStrategy authorizationRedirectStrategy = new DefaultRedirectStrategy();
|
||||
private final StringKeyGenerator stateGenerator = new Base64StringKeyGenerator(Base64.getUrlEncoder());
|
||||
private AuthorizationRequestRepository authorizationRequestRepository = new HttpSessionAuthorizationRequestRepository();
|
||||
|
||||
public AuthorizationRequestRedirectFilter(ClientRegistrationRepository clientRegistrationRepository) {
|
||||
public OAuth2AuthorizationRequestRedirectFilter(ClientRegistrationRepository clientRegistrationRepository) {
|
||||
this(DEFAULT_AUTHORIZATION_REQUEST_BASE_URI, clientRegistrationRepository);
|
||||
}
|
||||
|
||||
public AuthorizationRequestRedirectFilter(
|
||||
public OAuth2AuthorizationRequestRedirectFilter(
|
||||
String authorizationRequestBaseUri, ClientRegistrationRepository clientRegistrationRepository) {
|
||||
|
||||
Assert.hasText(authorizationRequestBaseUri, "authorizationRequestBaseUri cannot be empty");
|
||||
|
|
@ -19,7 +19,7 @@ import org.springframework.security.authentication.AuthenticationManager;
|
|||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.core.AuthenticationException;
|
||||
import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
|
||||
import org.springframework.security.oauth2.client.authentication.AuthorizationCodeAuthenticationToken;
|
||||
import org.springframework.security.oauth2.client.authentication.OAuth2AuthorizationCodeAuthenticationToken;
|
||||
import org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken;
|
||||
import org.springframework.security.oauth2.client.authentication.OAuth2LoginAuthenticationProvider;
|
||||
import org.springframework.security.oauth2.client.registration.ClientRegistration;
|
||||
|
|
@ -59,7 +59,7 @@ import java.io.IOException;
|
|||
* and redirect the end-user's user-agent back to this <code>Filter</code> (the client).
|
||||
* </li>
|
||||
* <li>
|
||||
* This <code>Filter</code> will then create an {@link AuthorizationCodeAuthenticationToken} with
|
||||
* This <code>Filter</code> will then create an {@link OAuth2AuthorizationCodeAuthenticationToken} with
|
||||
* the {@link OAuth2ParameterNames#CODE} received in the previous step and delegate it to
|
||||
* {@link OAuth2LoginAuthenticationProvider#authenticate(Authentication)} (indirectly via {@link AuthenticationManager}).
|
||||
* </li>
|
||||
|
|
@ -68,13 +68,13 @@ import java.io.IOException;
|
|||
* @author Joe Grandja
|
||||
* @since 5.0
|
||||
* @see AbstractAuthenticationProcessingFilter
|
||||
* @see AuthorizationCodeAuthenticationToken
|
||||
* @see OAuth2AuthorizationCodeAuthenticationToken
|
||||
* @see OAuth2AuthenticationToken
|
||||
* @see OAuth2LoginAuthenticationProvider
|
||||
* @see OAuth2AuthorizationRequest
|
||||
* @see OAuth2AuthorizationResponse
|
||||
* @see AuthorizationRequestRepository
|
||||
* @see AuthorizationRequestRedirectFilter
|
||||
* @see OAuth2AuthorizationRequestRedirectFilter
|
||||
* @see ClientRegistrationRepository
|
||||
* @see OAuth2TokenRepository
|
||||
* @see <a target="_blank" href="https://tools.ietf.org/html/rfc6749#section-4.1">Section 4.1 Authorization Code Grant</a>
|
||||
|
|
@ -123,7 +123,7 @@ public class OAuth2LoginAuthenticationFilter extends AbstractAuthenticationProce
|
|||
|
||||
// The clientRegistration.redirectUri may contain Uri template variables, whether it's configured by
|
||||
// the user or configured by default. In these cases, the redirectUri will be expanded and ultimately changed
|
||||
// (by AuthorizationRequestRedirectFilter) before setting it in the authorization request.
|
||||
// (by OAuth2AuthorizationRequestRedirectFilter) before setting it in the authorization request.
|
||||
// The resulting redirectUri used for the authorization request and saved within the AuthorizationRequestRepository
|
||||
// MUST BE the same one used to complete the authorization code flow.
|
||||
// Therefore, we'll create a copy of the clientRegistration and override the redirectUri
|
||||
|
|
@ -132,7 +132,7 @@ public class OAuth2LoginAuthenticationFilter extends AbstractAuthenticationProce
|
|||
.redirectUri(authorizationRequest.getRedirectUri())
|
||||
.build();
|
||||
|
||||
AuthorizationCodeAuthenticationToken authorizationCodeAuthentication = new AuthorizationCodeAuthenticationToken(
|
||||
OAuth2AuthorizationCodeAuthenticationToken authorizationCodeAuthentication = new OAuth2AuthorizationCodeAuthenticationToken(
|
||||
clientRegistration, new OAuth2AuthorizationExchange(authorizationRequest, authorizationResponse));
|
||||
authorizationCodeAuthentication.setDetails(this.authenticationDetailsSource.buildDetails(request));
|
||||
|
||||
|
|
|
|||
|
|
@ -30,8 +30,8 @@ import static org.assertj.core.api.Assertions.assertThat;
|
|||
* @author Rob Winch
|
||||
* @since 5.0
|
||||
*/
|
||||
public class DefaultAuthorizationRequestUriBuilderTests {
|
||||
private DefaultAuthorizationRequestUriBuilder builder = new DefaultAuthorizationRequestUriBuilder();
|
||||
public class OAuth2AuthorizationRequestUriBuilderTests {
|
||||
private OAuth2AuthorizationRequestUriBuilder builder = new OAuth2AuthorizationRequestUriBuilder();
|
||||
|
||||
@Test
|
||||
public void buildWhenScopeMultiThenSeparatedByEncodedSpace() {
|
||||
|
|
@ -32,22 +32,22 @@ import javax.servlet.http.HttpServletResponse;
|
|||
import java.net.URI;
|
||||
|
||||
/**
|
||||
* Tests {@link AuthorizationRequestRedirectFilter}.
|
||||
* Tests {@link OAuth2AuthorizationRequestRedirectFilter}.
|
||||
*
|
||||
* @author Joe Grandja
|
||||
*/
|
||||
public class AuthorizationRequestRedirectFilterTests {
|
||||
public class OAuth2AuthorizationRequestRedirectFilterTests {
|
||||
|
||||
@Test(expected = IllegalArgumentException.class)
|
||||
public void constructorWhenClientRegistrationRepositoryIsNullThenThrowIllegalArgumentException() {
|
||||
new AuthorizationRequestRedirectFilter(null);
|
||||
new OAuth2AuthorizationRequestRedirectFilter(null);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void doFilterWhenRequestDoesNotMatchClientThenContinueChain() throws Exception {
|
||||
ClientRegistration clientRegistration = TestUtil.googleClientRegistration();
|
||||
String authorizationUri = clientRegistration.getProviderDetails().getAuthorizationUri().toString();
|
||||
AuthorizationRequestRedirectFilter filter =
|
||||
OAuth2AuthorizationRequestRedirectFilter filter =
|
||||
setupFilter(authorizationUri, clientRegistration);
|
||||
|
||||
String requestURI = "/path";
|
||||
|
|
@ -65,7 +65,7 @@ public class AuthorizationRequestRedirectFilterTests {
|
|||
public void doFilterWhenRequestMatchesClientThenRedirectForAuthorization() throws Exception {
|
||||
ClientRegistration clientRegistration = TestUtil.googleClientRegistration();
|
||||
String authorizationUri = clientRegistration.getProviderDetails().getAuthorizationUri().toString();
|
||||
AuthorizationRequestRedirectFilter filter =
|
||||
OAuth2AuthorizationRequestRedirectFilter filter =
|
||||
setupFilter(authorizationUri, clientRegistration);
|
||||
|
||||
String requestUri = TestUtil.AUTHORIZATION_BASE_URI + "/" + clientRegistration.getRegistrationId();
|
||||
|
|
@ -85,7 +85,7 @@ public class AuthorizationRequestRedirectFilterTests {
|
|||
public void doFilterWhenRequestMatchesClientThenAuthorizationRequestSavedInSession() throws Exception {
|
||||
ClientRegistration clientRegistration = TestUtil.githubClientRegistration();
|
||||
String authorizationUri = clientRegistration.getProviderDetails().getAuthorizationUri().toString();
|
||||
AuthorizationRequestRedirectFilter filter =
|
||||
OAuth2AuthorizationRequestRedirectFilter filter =
|
||||
setupFilter(authorizationUri, clientRegistration);
|
||||
AuthorizationRequestRepository authorizationRequestRepository = new HttpSessionAuthorizationRequestRepository();
|
||||
filter.setAuthorizationRequestRepository(authorizationRequestRepository);
|
||||
|
|
@ -114,8 +114,8 @@ public class AuthorizationRequestRedirectFilterTests {
|
|||
Assertions.assertThat(authorizationRequest.getState()).isNotNull();
|
||||
}
|
||||
|
||||
private AuthorizationRequestRedirectFilter setupFilter(String authorizationUri,
|
||||
ClientRegistration... clientRegistrations) throws Exception {
|
||||
private OAuth2AuthorizationRequestRedirectFilter setupFilter(String authorizationUri,
|
||||
ClientRegistration... clientRegistrations) throws Exception {
|
||||
|
||||
AuthorizationRequestUriBuilder authorizationUriBuilder = Mockito.mock(AuthorizationRequestUriBuilder.class);
|
||||
URI authorizationURI = new URI(authorizationUri);
|
||||
|
|
@ -124,11 +124,11 @@ public class AuthorizationRequestRedirectFilterTests {
|
|||
return setupFilter(authorizationUriBuilder, clientRegistrations);
|
||||
}
|
||||
|
||||
private AuthorizationRequestRedirectFilter setupFilter(AuthorizationRequestUriBuilder authorizationUriBuilder,
|
||||
ClientRegistration... clientRegistrations) throws Exception {
|
||||
private OAuth2AuthorizationRequestRedirectFilter setupFilter(AuthorizationRequestUriBuilder authorizationUriBuilder,
|
||||
ClientRegistration... clientRegistrations) throws Exception {
|
||||
|
||||
ClientRegistrationRepository clientRegistrationRepository = TestUtil.clientRegistrationRepository(clientRegistrations);
|
||||
AuthorizationRequestRedirectFilter filter = new AuthorizationRequestRedirectFilter(clientRegistrationRepository);
|
||||
OAuth2AuthorizationRequestRedirectFilter filter = new OAuth2AuthorizationRequestRedirectFilter(clientRegistrationRepository);
|
||||
filter.setAuthorizationRequestUriBuilder(authorizationUriBuilder);
|
||||
|
||||
return filter;
|
||||
|
|
@ -31,7 +31,7 @@ public final class OAuth2AuthorizationExchange {
|
|||
private final OAuth2AuthorizationResponse authorizationResponse;
|
||||
|
||||
public OAuth2AuthorizationExchange(OAuth2AuthorizationRequest authorizationRequest,
|
||||
OAuth2AuthorizationResponse authorizationResponse) {
|
||||
OAuth2AuthorizationResponse authorizationResponse) {
|
||||
Assert.notNull(authorizationRequest, "authorizationRequest cannot be null");
|
||||
Assert.notNull(authorizationResponse, "authorizationResponse cannot be null");
|
||||
this.authorizationRequest = authorizationRequest;
|
||||
|
|
|
|||
|
|
@ -58,7 +58,7 @@ public class DefaultOidcUser extends DefaultOAuth2User implements OidcUser {
|
|||
}
|
||||
|
||||
public DefaultOidcUser(Set<GrantedAuthority> authorities, OidcIdToken idToken, OidcUserInfo userInfo,
|
||||
String nameAttributeKey) {
|
||||
String nameAttributeKey) {
|
||||
super(authorities, OidcUser.collectClaims(idToken, userInfo), nameAttributeKey);
|
||||
this.idToken = idToken;
|
||||
this.userInfo = userInfo;
|
||||
|
|
|
|||
|
|
@ -36,13 +36,13 @@ import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
|||
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
||||
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
|
||||
import org.springframework.security.core.GrantedAuthority;
|
||||
import org.springframework.security.oauth2.client.authentication.AuthorizationCodeAuthenticationToken;
|
||||
import org.springframework.security.oauth2.client.authentication.OAuth2AuthorizationCodeAuthenticationToken;
|
||||
import org.springframework.security.oauth2.client.authentication.AuthorizationGrantTokenExchanger;
|
||||
import org.springframework.security.oauth2.client.userinfo.OAuth2UserService;
|
||||
import org.springframework.security.oauth2.client.registration.ClientRegistration;
|
||||
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
|
||||
import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter;
|
||||
import org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter;
|
||||
import org.springframework.security.oauth2.client.web.AuthorizationRequestRedirectFilter;
|
||||
import org.springframework.security.oauth2.core.OAuth2AccessToken;
|
||||
import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
|
||||
import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationResponseType;
|
||||
|
|
@ -70,7 +70,7 @@ import static org.mockito.Mockito.mock;
|
|||
import static org.mockito.Mockito.when;
|
||||
|
||||
/**
|
||||
* Integration tests for the OAuth 2.0 client filters {@link AuthorizationRequestRedirectFilter}
|
||||
* Integration tests for the OAuth 2.0 client filters {@link OAuth2AuthorizationRequestRedirectFilter}
|
||||
* and {@link OAuth2LoginAuthenticationFilter}.
|
||||
* These filters work together to realize the Authorization Code Grant flow.
|
||||
*
|
||||
|
|
@ -354,7 +354,7 @@ public class OAuth2LoginApplicationTests {
|
|||
}
|
||||
// @formatter:on
|
||||
|
||||
private AuthorizationGrantTokenExchanger<AuthorizationCodeAuthenticationToken> mockAuthorizationCodeTokenExchanger() {
|
||||
private AuthorizationGrantTokenExchanger<OAuth2AuthorizationCodeAuthenticationToken> mockAuthorizationCodeTokenExchanger() {
|
||||
OAuth2AccessTokenResponse accessTokenResponse = OAuth2AccessTokenResponse.withToken("access-token-1234")
|
||||
.tokenType(OAuth2AccessToken.TokenType.BEARER)
|
||||
.expiresIn(60 * 1000)
|
||||
|
|
|
|||
Loading…
Reference in New Issue