mirror of
https://github.com/spring-projects/spring-security.git
synced 2025-05-31 01:02:14 +00:00
Remove deprecated implicit authorization grant type
Closes gh-11506
This commit is contained in:
Joe Grandja
parent
9608eaa138
commit
a3326fc0ee
@ -1,105 +0,0 @@
|
||||
/*
|
||||
* Copyright 2002-2020 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.security.config.annotation.web.configurers.oauth2.client;
|
||||
|
||||
import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
|
||||
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
|
||||
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
|
||||
import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter;
|
||||
import org.springframework.util.Assert;
|
||||
|
||||
/**
|
||||
* An {@link AbstractHttpConfigurer} for the OAuth 2.0 Implicit Grant type.
|
||||
*
|
||||
* <h2>Security Filters</h2>
|
||||
*
|
||||
* The following {@code Filter}'s are populated:
|
||||
*
|
||||
* <ul>
|
||||
* <li>{@link OAuth2AuthorizationRequestRedirectFilter}</li>
|
||||
* </ul>
|
||||
*
|
||||
* <h2>Shared Objects Created</h2>
|
||||
*
|
||||
* The following shared objects are populated:
|
||||
*
|
||||
* <ul>
|
||||
* <li>{@link ClientRegistrationRepository} (required)</li>
|
||||
* </ul>
|
||||
*
|
||||
* <h2>Shared Objects Used</h2>
|
||||
*
|
||||
* The following shared objects are used:
|
||||
*
|
||||
* <ul>
|
||||
* <li>{@link ClientRegistrationRepository}</li>
|
||||
* </ul>
|
||||
*
|
||||
* @author Joe Grandja
|
||||
* @since 5.0
|
||||
* @see OAuth2AuthorizationRequestRedirectFilter
|
||||
* @see ClientRegistrationRepository
|
||||
* @deprecated It is not recommended to use the implicit flow due to the inherent risks of
|
||||
* returning access tokens in an HTTP redirect without any confirmation that it has been
|
||||
* received by the client. See reference
|
||||
* <a target="_blank" href="https://oauth.net/2/grant-types/implicit/">OAuth 2.0 Implicit
|
||||
* Grant</a>.
|
||||
*/
|
||||
@Deprecated
|
||||
public final class ImplicitGrantConfigurer<B extends HttpSecurityBuilder<B>>
|
||||
extends AbstractHttpConfigurer<ImplicitGrantConfigurer<B>, B> {
|
||||
|
||||
private String authorizationRequestBaseUri;
|
||||
|
||||
/**
|
||||
* Sets the base {@code URI} used for authorization requests.
|
||||
* @param authorizationRequestBaseUri the base {@code URI} used for authorization
|
||||
* requests
|
||||
* @return the {@link ImplicitGrantConfigurer} for further configuration
|
||||
*/
|
||||
public ImplicitGrantConfigurer<B> authorizationRequestBaseUri(String authorizationRequestBaseUri) {
|
||||
Assert.hasText(authorizationRequestBaseUri, "authorizationRequestBaseUri cannot be empty");
|
||||
this.authorizationRequestBaseUri = authorizationRequestBaseUri;
|
||||
return this;
|
||||
}
|
||||
|
||||
/**
|
||||
* Sets the repository of client registrations.
|
||||
* @param clientRegistrationRepository the repository of client registrations
|
||||
* @return the {@link ImplicitGrantConfigurer} for further configuration
|
||||
*/
|
||||
public ImplicitGrantConfigurer<B> clientRegistrationRepository(
|
||||
ClientRegistrationRepository clientRegistrationRepository) {
|
||||
Assert.notNull(clientRegistrationRepository, "clientRegistrationRepository cannot be null");
|
||||
this.getBuilder().setSharedObject(ClientRegistrationRepository.class, clientRegistrationRepository);
|
||||
return this;
|
||||
}
|
||||
|
||||
@Override
|
||||
public void configure(B http) {
|
||||
OAuth2AuthorizationRequestRedirectFilter authorizationRequestFilter = new OAuth2AuthorizationRequestRedirectFilter(
|
||||
OAuth2ClientConfigurerUtils.getClientRegistrationRepository(this.getBuilder()),
|
||||
this.getAuthorizationRequestBaseUri());
|
||||
http.addFilter(this.postProcess(authorizationRequestFilter));
|
||||
}
|
||||
|
||||
private String getAuthorizationRequestBaseUri() {
|
||||
return (this.authorizationRequestBaseUri != null) ? this.authorizationRequestBaseUri
|
||||
: OAuth2AuthorizationRequestRedirectFilter.DEFAULT_AUTHORIZATION_REQUEST_BASE_URI;
|
||||
}
|
||||
|
||||
}
|
||||
@ -569,8 +569,8 @@ client-registration.attlist &=
|
||||
## The method used to authenticate the client with the provider. The supported values are client_secret_basic, client_secret_post and none (public clients).
|
||||
attribute client-authentication-method {"client_secret_basic" | "basic" | "client_secret_post" | "post" | "none"}?
|
||||
client-registration.attlist &=
|
||||
## The OAuth 2.0 Authorization Framework defines four Authorization Grant types. The supported values are authorization_code, client_credentials, password and implicit.
|
||||
attribute authorization-grant-type {"authorization_code" | "client_credentials" | "password" | "implicit"}?
|
||||
## The OAuth 2.0 Authorization Framework defines four Authorization Grant types. The supported values are authorization_code, client_credentials and password.
|
||||
attribute authorization-grant-type {"authorization_code" | "client_credentials" | "password"}?
|
||||
client-registration.attlist &=
|
||||
## The client’s registered redirect URI that the Authorization Server redirects the end-user’s user-agent to after the end-user has authenticated and authorized access to the client.
|
||||
attribute redirect-uri {xsd:token}?
|
||||
|
||||
@ -1792,7 +1792,7 @@
|
||||
<xs:attribute name="authorization-grant-type">
|
||||
<xs:annotation>
|
||||
<xs:documentation>The OAuth 2.0 Authorization Framework defines four Authorization Grant types. The
|
||||
supported values are authorization_code, client_credentials, password and implicit.
|
||||
supported values are authorization_code, client_credentials and password.
|
||||
</xs:documentation>
|
||||
</xs:annotation>
|
||||
<xs:simpleType>
|
||||
@ -1800,7 +1800,6 @@
|
||||
<xs:enumeration value="authorization_code"/>
|
||||
<xs:enumeration value="client_credentials"/>
|
||||
<xs:enumeration value="password"/>
|
||||
<xs:enumeration value="implicit"/>
|
||||
</xs:restriction>
|
||||
</xs:simpleType>
|
||||
</xs:attribute>
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2020 the original author or authors.
|
||||
* Copyright 2002-2022 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@ -72,9 +72,6 @@ final class OAuth2AuthorizationRequestDeserializer extends JsonDeserializer<OAut
|
||||
if (AuthorizationGrantType.AUTHORIZATION_CODE.equals(authorizationGrantType)) {
|
||||
return OAuth2AuthorizationRequest.authorizationCode();
|
||||
}
|
||||
if (AuthorizationGrantType.IMPLICIT.equals(authorizationGrantType)) {
|
||||
return OAuth2AuthorizationRequest.implicit();
|
||||
}
|
||||
throw new JsonParseException(parser, "Invalid authorizationGrantType");
|
||||
}
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2021 the original author or authors.
|
||||
* Copyright 2002-2022 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@ -74,9 +74,6 @@ abstract class StdConverters {
|
||||
if (AuthorizationGrantType.AUTHORIZATION_CODE.getValue().equalsIgnoreCase(value)) {
|
||||
return AuthorizationGrantType.AUTHORIZATION_CODE;
|
||||
}
|
||||
if (AuthorizationGrantType.IMPLICIT.getValue().equalsIgnoreCase(value)) {
|
||||
return AuthorizationGrantType.IMPLICIT;
|
||||
}
|
||||
if (AuthorizationGrantType.CLIENT_CREDENTIALS.getValue().equalsIgnoreCase(value)) {
|
||||
return AuthorizationGrantType.CLIENT_CREDENTIALS;
|
||||
}
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2020 the original author or authors.
|
||||
* Copyright 2002-2022 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@ -616,9 +616,6 @@ public final class ClientRegistration implements Serializable {
|
||||
else if (AuthorizationGrantType.PASSWORD.equals(this.authorizationGrantType)) {
|
||||
this.validatePasswordGrantType();
|
||||
}
|
||||
else if (AuthorizationGrantType.IMPLICIT.equals(this.authorizationGrantType)) {
|
||||
this.validateImplicitGrantType();
|
||||
}
|
||||
else if (AuthorizationGrantType.AUTHORIZATION_CODE.equals(this.authorizationGrantType)) {
|
||||
this.validateAuthorizationCodeGrantType();
|
||||
}
|
||||
@ -673,15 +670,6 @@ public final class ClientRegistration implements Serializable {
|
||||
Assert.hasText(this.tokenUri, "tokenUri cannot be empty");
|
||||
}
|
||||
|
||||
private void validateImplicitGrantType() {
|
||||
Assert.isTrue(AuthorizationGrantType.IMPLICIT.equals(this.authorizationGrantType),
|
||||
() -> "authorizationGrantType must be " + AuthorizationGrantType.IMPLICIT.getValue());
|
||||
Assert.hasText(this.registrationId, "registrationId cannot be empty");
|
||||
Assert.hasText(this.clientId, "clientId cannot be empty");
|
||||
Assert.hasText(this.redirectUri, "redirectUri cannot be empty");
|
||||
Assert.hasText(this.authorizationUri, "authorizationUri cannot be empty");
|
||||
}
|
||||
|
||||
private void validateClientCredentialsGrantType() {
|
||||
Assert.isTrue(AuthorizationGrantType.CLIENT_CREDENTIALS.equals(this.authorizationGrantType),
|
||||
() -> "authorizationGrantType must be " + AuthorizationGrantType.CLIENT_CREDENTIALS.getValue());
|
||||
|
||||
@ -188,9 +188,6 @@ public final class DefaultOAuth2AuthorizationRequestResolver implements OAuth2Au
|
||||
}
|
||||
return builder;
|
||||
}
|
||||
if (AuthorizationGrantType.IMPLICIT.equals(clientRegistration.getAuthorizationGrantType())) {
|
||||
return OAuth2AuthorizationRequest.implicit();
|
||||
}
|
||||
throw new IllegalArgumentException(
|
||||
"Invalid Authorization Grant Type (" + clientRegistration.getAuthorizationGrantType().getValue()
|
||||
+ ") for Client Registration with Id: " + clientRegistration.getRegistrationId());
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2021 the original author or authors.
|
||||
* Copyright 2002-2022 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@ -39,9 +39,8 @@ import org.springframework.util.Assert;
|
||||
import org.springframework.web.filter.OncePerRequestFilter;
|
||||
|
||||
/**
|
||||
* This {@code Filter} initiates the authorization code grant or implicit grant flow by
|
||||
* redirecting the End-User's user-agent to the Authorization Server's Authorization
|
||||
* Endpoint.
|
||||
* This {@code Filter} initiates the authorization code grant flow by redirecting the
|
||||
* End-User's user-agent to the Authorization Server's Authorization Endpoint.
|
||||
*
|
||||
* <p>
|
||||
* It builds the OAuth 2.0 Authorization Request, which is used as the redirect
|
||||
@ -80,11 +79,6 @@ import org.springframework.web.filter.OncePerRequestFilter;
|
||||
* @see <a target="_blank" href=
|
||||
* "https://tools.ietf.org/html/rfc6749#section-4.1.1">Section 4.1.1 Authorization Request
|
||||
* (Authorization Code)</a>
|
||||
* @see <a target="_blank" href="https://tools.ietf.org/html/rfc6749#section-4.2">Section
|
||||
* 4.2 Implicit Grant</a>
|
||||
* @see <a target="_blank" href=
|
||||
* "https://tools.ietf.org/html/rfc6749#section-4.2.1">Section 4.2.1 Authorization Request
|
||||
* (Implicit)</a>
|
||||
*/
|
||||
public class OAuth2AuthorizationRequestRedirectFilter extends OncePerRequestFilter {
|
||||
|
||||
|
||||
@ -201,9 +201,6 @@ public class DefaultServerOAuth2AuthorizationRequestResolver implements ServerOA
|
||||
}
|
||||
return builder;
|
||||
}
|
||||
if (AuthorizationGrantType.IMPLICIT.equals(clientRegistration.getAuthorizationGrantType())) {
|
||||
return OAuth2AuthorizationRequest.implicit();
|
||||
}
|
||||
throw new IllegalArgumentException(
|
||||
"Invalid Authorization Grant Type (" + clientRegistration.getAuthorizationGrantType().getValue()
|
||||
+ ") for Client Registration with Id: " + clientRegistration.getRegistrationId());
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2019 the original author or authors.
|
||||
* Copyright 2002-2022 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@ -38,9 +38,8 @@ import org.springframework.web.server.WebFilterChain;
|
||||
import org.springframework.web.util.UriComponentsBuilder;
|
||||
|
||||
/**
|
||||
* This {@code WebFilter} initiates the authorization code grant or implicit grant flow by
|
||||
* redirecting the End-User's user-agent to the Authorization Server's Authorization
|
||||
* Endpoint.
|
||||
* This {@code WebFilter} initiates the authorization code grant flow by redirecting the
|
||||
* End-User's user-agent to the Authorization Server's Authorization Endpoint.
|
||||
*
|
||||
* <p>
|
||||
* It builds the OAuth 2.0 Authorization Request, which is used as the redirect
|
||||
@ -67,11 +66,6 @@ import org.springframework.web.util.UriComponentsBuilder;
|
||||
* @see <a target="_blank" href=
|
||||
* "https://tools.ietf.org/html/rfc6749#section-4.1.1">Section 4.1.1 Authorization Request
|
||||
* (Authorization Code)</a>
|
||||
* @see <a target="_blank" href="https://tools.ietf.org/html/rfc6749#section-4.2">Section
|
||||
* 4.2 Implicit Grant</a>
|
||||
* @see <a target="_blank" href=
|
||||
* "https://tools.ietf.org/html/rfc6749#section-4.2.1">Section 4.2.1 Authorization Request
|
||||
* (Implicit)</a>
|
||||
*/
|
||||
public class OAuth2AuthorizationRequestRedirectWebFilter implements WebFilter {
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2020 the original author or authors.
|
||||
* Copyright 2002-2022 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@ -54,22 +54,6 @@ public class OAuth2ClientCredentialsGrantRequestTests {
|
||||
assertThatIllegalArgumentException().isThrownBy(() -> new OAuth2ClientCredentialsGrantRequest(null));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void constructorWhenClientRegistrationInvalidGrantTypeThenThrowIllegalArgumentException() {
|
||||
// @formatter:off
|
||||
ClientRegistration clientRegistration = ClientRegistration.withRegistrationId("registration-1")
|
||||
.clientId("client-1")
|
||||
.authorizationGrantType(AuthorizationGrantType.IMPLICIT)
|
||||
.redirectUri("https://localhost:8080/redirect-uri")
|
||||
.authorizationUri("https://provider.com/oauth2/auth")
|
||||
.clientName("Client 1")
|
||||
.build();
|
||||
// @formatter:on
|
||||
assertThatIllegalArgumentException()
|
||||
.isThrownBy(() -> new OAuth2ClientCredentialsGrantRequest(clientRegistration)).withMessage(
|
||||
"clientRegistration.authorizationGrantType must be AuthorizationGrantType.CLIENT_CREDENTIALS");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void constructorWhenValidParametersProvidedThenCreated() {
|
||||
OAuth2ClientCredentialsGrantRequest clientCredentialsGrantRequest = new OAuth2ClientCredentialsGrantRequest(
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2018 the original author or authors.
|
||||
* Copyright 2002-2022 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@ -63,7 +63,7 @@ public class OidcUserRequestUtilsTests {
|
||||
|
||||
@Test
|
||||
public void shouldRetrieveUserInfoWhenNotAuthorizationCodeThenFalse() {
|
||||
this.registration.authorizationGrantType(AuthorizationGrantType.IMPLICIT);
|
||||
this.registration.authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS);
|
||||
assertThat(OidcUserRequestUtils.shouldRetrieveUserInfo(userRequest())).isFalse();
|
||||
}
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2020 the original author or authors.
|
||||
* Copyright 2002-2022 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@ -431,129 +431,6 @@ public class ClientRegistrationTests {
|
||||
assertThat(clientRegistration.getProviderDetails().getConfigurationMetadata()).isEmpty();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void buildWhenImplicitGrantAllAttributesProvidedThenAllAttributesAreSet() {
|
||||
// @formatter:off
|
||||
ClientRegistration registration = ClientRegistration.withRegistrationId(REGISTRATION_ID)
|
||||
.clientId(CLIENT_ID)
|
||||
.authorizationGrantType(AuthorizationGrantType.IMPLICIT)
|
||||
.redirectUri(REDIRECT_URI)
|
||||
.scope(SCOPES.toArray(new String[0]))
|
||||
.authorizationUri(AUTHORIZATION_URI)
|
||||
.userInfoAuthenticationMethod(AuthenticationMethod.FORM)
|
||||
.clientName(CLIENT_NAME)
|
||||
.build();
|
||||
// @formatter:on
|
||||
assertThat(registration.getRegistrationId()).isEqualTo(REGISTRATION_ID);
|
||||
assertThat(registration.getClientId()).isEqualTo(CLIENT_ID);
|
||||
assertThat(registration.getAuthorizationGrantType()).isEqualTo(AuthorizationGrantType.IMPLICIT);
|
||||
assertThat(registration.getRedirectUri()).isEqualTo(REDIRECT_URI);
|
||||
assertThat(registration.getScopes()).isEqualTo(SCOPES);
|
||||
assertThat(registration.getProviderDetails().getAuthorizationUri()).isEqualTo(AUTHORIZATION_URI);
|
||||
assertThat(registration.getProviderDetails().getUserInfoEndpoint().getAuthenticationMethod())
|
||||
.isEqualTo(AuthenticationMethod.FORM);
|
||||
assertThat(registration.getClientName()).isEqualTo(CLIENT_NAME);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void buildWhenImplicitGrantRegistrationIdIsNullThenThrowIllegalArgumentException() {
|
||||
assertThatIllegalArgumentException().isThrownBy(() ->
|
||||
// @formatter:off
|
||||
ClientRegistration.withRegistrationId(null)
|
||||
.clientId(CLIENT_ID)
|
||||
.authorizationGrantType(AuthorizationGrantType.IMPLICIT)
|
||||
.redirectUri(REDIRECT_URI)
|
||||
.scope(SCOPES.toArray(new String[0]))
|
||||
.authorizationUri(AUTHORIZATION_URI)
|
||||
.userInfoAuthenticationMethod(AuthenticationMethod.FORM)
|
||||
.clientName(CLIENT_NAME)
|
||||
.build()
|
||||
// @formatter:on
|
||||
);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void buildWhenImplicitGrantClientIdIsNullThenThrowIllegalArgumentException() {
|
||||
assertThatIllegalArgumentException().isThrownBy(() ->
|
||||
// @formatter:off
|
||||
ClientRegistration.withRegistrationId(REGISTRATION_ID)
|
||||
.clientId(null)
|
||||
.authorizationGrantType(AuthorizationGrantType.IMPLICIT)
|
||||
.redirectUri(REDIRECT_URI)
|
||||
.scope(SCOPES.toArray(new String[0]))
|
||||
.authorizationUri(AUTHORIZATION_URI)
|
||||
.userInfoAuthenticationMethod(AuthenticationMethod.FORM)
|
||||
.clientName(CLIENT_NAME)
|
||||
.build()
|
||||
// @formatter:on
|
||||
);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void buildWhenImplicitGrantRedirectUriIsNullThenThrowIllegalArgumentException() {
|
||||
assertThatIllegalArgumentException().isThrownBy(() ->
|
||||
// @formatter:off
|
||||
ClientRegistration.withRegistrationId(REGISTRATION_ID)
|
||||
.clientId(CLIENT_ID)
|
||||
.authorizationGrantType(AuthorizationGrantType.IMPLICIT)
|
||||
.redirectUri(null)
|
||||
.scope(SCOPES.toArray(new String[0]))
|
||||
.authorizationUri(AUTHORIZATION_URI)
|
||||
.userInfoAuthenticationMethod(AuthenticationMethod.FORM)
|
||||
.clientName(CLIENT_NAME)
|
||||
.build()
|
||||
// @formatter:on
|
||||
);
|
||||
}
|
||||
|
||||
// gh-5494
|
||||
@Test
|
||||
public void buildWhenImplicitGrantScopeIsNullThenScopeNotRequired() {
|
||||
// @formatter:off
|
||||
ClientRegistration.withRegistrationId(REGISTRATION_ID)
|
||||
.clientId(CLIENT_ID)
|
||||
.authorizationGrantType(AuthorizationGrantType.IMPLICIT)
|
||||
.redirectUri(REDIRECT_URI)
|
||||
.scope((String[]) null)
|
||||
.authorizationUri(AUTHORIZATION_URI)
|
||||
.userInfoAuthenticationMethod(AuthenticationMethod.FORM)
|
||||
.clientName(CLIENT_NAME)
|
||||
.build();
|
||||
// @formatter:on
|
||||
}
|
||||
|
||||
@Test
|
||||
public void buildWhenImplicitGrantAuthorizationUriIsNullThenThrowIllegalArgumentException() {
|
||||
assertThatIllegalArgumentException().isThrownBy(() ->
|
||||
// @formatter:off
|
||||
ClientRegistration.withRegistrationId(REGISTRATION_ID)
|
||||
.clientId(CLIENT_ID)
|
||||
.authorizationGrantType(AuthorizationGrantType.IMPLICIT)
|
||||
.redirectUri(REDIRECT_URI)
|
||||
.scope(SCOPES.toArray(new String[0]))
|
||||
.authorizationUri(null)
|
||||
.userInfoAuthenticationMethod(AuthenticationMethod.FORM)
|
||||
.clientName(CLIENT_NAME)
|
||||
.build()
|
||||
// @formatter:on
|
||||
);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void buildWhenImplicitGrantClientNameNotProvidedThenDefaultToRegistrationId() {
|
||||
// @formatter:off
|
||||
ClientRegistration clientRegistration = ClientRegistration.withRegistrationId(REGISTRATION_ID)
|
||||
.clientId(CLIENT_ID)
|
||||
.authorizationGrantType(AuthorizationGrantType.IMPLICIT)
|
||||
.redirectUri(REDIRECT_URI)
|
||||
.scope(SCOPES.toArray(new String[0]))
|
||||
.authorizationUri(AUTHORIZATION_URI)
|
||||
.userInfoAuthenticationMethod(AuthenticationMethod.FORM)
|
||||
.build();
|
||||
// @formatter:on
|
||||
assertThat(clientRegistration.getClientName()).isEqualTo(clientRegistration.getRegistrationId());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void buildWhenOverrideRegistrationIdThenOverridden() {
|
||||
String overriddenId = "override";
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2018 the original author or authors.
|
||||
* Copyright 2002-2022 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@ -37,7 +37,6 @@ import org.springframework.security.oauth2.client.registration.ClientRegistratio
|
||||
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
|
||||
import org.springframework.security.oauth2.client.registration.InMemoryClientRegistrationRepository;
|
||||
import org.springframework.security.oauth2.client.registration.TestClientRegistrations;
|
||||
import org.springframework.security.oauth2.core.AuthorizationGrantType;
|
||||
import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
|
||||
import org.springframework.security.web.savedrequest.RequestCache;
|
||||
import org.springframework.util.ClassUtils;
|
||||
@ -49,7 +48,6 @@ import static org.mockito.ArgumentMatchers.any;
|
||||
import static org.mockito.BDDMockito.given;
|
||||
import static org.mockito.BDDMockito.willThrow;
|
||||
import static org.mockito.Mockito.mock;
|
||||
import static org.mockito.Mockito.times;
|
||||
import static org.mockito.Mockito.verify;
|
||||
import static org.mockito.Mockito.verifyZeroInteractions;
|
||||
|
||||
@ -64,8 +62,6 @@ public class OAuth2AuthorizationRequestRedirectFilterTests {
|
||||
|
||||
private ClientRegistration registration2;
|
||||
|
||||
private ClientRegistration registration3;
|
||||
|
||||
private ClientRegistrationRepository clientRegistrationRepository;
|
||||
|
||||
private OAuth2AuthorizationRequestRedirectFilter filter;
|
||||
@ -76,15 +72,8 @@ public class OAuth2AuthorizationRequestRedirectFilterTests {
|
||||
public void setUp() {
|
||||
this.registration1 = TestClientRegistrations.clientRegistration().build();
|
||||
this.registration2 = TestClientRegistrations.clientRegistration2().build();
|
||||
// @formatter:off
|
||||
this.registration3 = TestClientRegistrations.clientRegistration()
|
||||
.registrationId("registration-3")
|
||||
.authorizationGrantType(AuthorizationGrantType.IMPLICIT)
|
||||
.redirectUri("{baseUrl}/authorize/oauth2/implicit/{registrationId}")
|
||||
.build();
|
||||
// @formatter:on
|
||||
this.clientRegistrationRepository = new InMemoryClientRegistrationRepository(this.registration1,
|
||||
this.registration2, this.registration3);
|
||||
this.registration2);
|
||||
this.filter = new OAuth2AuthorizationRequestRedirectFilter(this.clientRegistrationRepository);
|
||||
this.requestCache = mock(RequestCache.class);
|
||||
this.filter.setRequestCache(this.requestCache);
|
||||
@ -177,38 +166,6 @@ public class OAuth2AuthorizationRequestRedirectFilterTests {
|
||||
any(HttpServletRequest.class), any(HttpServletResponse.class));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void doFilterWhenAuthorizationRequestImplicitGrantThenRedirectForAuthorization() throws Exception {
|
||||
String requestUri = OAuth2AuthorizationRequestRedirectFilter.DEFAULT_AUTHORIZATION_REQUEST_BASE_URI + "/"
|
||||
+ this.registration3.getRegistrationId();
|
||||
MockHttpServletRequest request = new MockHttpServletRequest("GET", requestUri);
|
||||
request.setServletPath(requestUri);
|
||||
MockHttpServletResponse response = new MockHttpServletResponse();
|
||||
FilterChain filterChain = mock(FilterChain.class);
|
||||
this.filter.doFilter(request, response, filterChain);
|
||||
verifyZeroInteractions(filterChain);
|
||||
assertThat(response.getRedirectedUrl()).matches("https://example.com/login/oauth/authorize\\?"
|
||||
+ "response_type=token&client_id=client-id&" + "scope=read:user&state=.{15,}&"
|
||||
+ "redirect_uri=http://localhost/authorize/oauth2/implicit/registration-3");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void doFilterWhenAuthorizationRequestImplicitGrantThenAuthorizationRequestNotSaved() throws Exception {
|
||||
String requestUri = OAuth2AuthorizationRequestRedirectFilter.DEFAULT_AUTHORIZATION_REQUEST_BASE_URI + "/"
|
||||
+ this.registration3.getRegistrationId();
|
||||
MockHttpServletRequest request = new MockHttpServletRequest("GET", requestUri);
|
||||
request.setServletPath(requestUri);
|
||||
MockHttpServletResponse response = new MockHttpServletResponse();
|
||||
FilterChain filterChain = mock(FilterChain.class);
|
||||
AuthorizationRequestRepository<OAuth2AuthorizationRequest> authorizationRequestRepository = mock(
|
||||
AuthorizationRequestRepository.class);
|
||||
this.filter.setAuthorizationRequestRepository(authorizationRequestRepository);
|
||||
this.filter.doFilter(request, response, filterChain);
|
||||
verifyZeroInteractions(filterChain);
|
||||
verify(authorizationRequestRepository, times(0)).saveAuthorizationRequest(any(OAuth2AuthorizationRequest.class),
|
||||
any(HttpServletRequest.class), any(HttpServletResponse.class));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void doFilterWhenCustomAuthorizationRequestBaseUriThenRedirectForAuthorization() throws Exception {
|
||||
String authorizationRequestBaseUri = "/custom/authorization";
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2021 the original author or authors.
|
||||
* Copyright 2002-2022 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@ -28,8 +28,8 @@ import org.springframework.util.Assert;
|
||||
*
|
||||
* <p>
|
||||
* The OAuth 2.0 Authorization Framework defines four standard grant types: authorization
|
||||
* code, implicit, resource owner password credentials, and client credentials. It also
|
||||
* provides an extensibility mechanism for defining additional grant types.
|
||||
* code, resource owner password credentials, and client credentials. It also provides an
|
||||
* extensibility mechanism for defining additional grant types.
|
||||
*
|
||||
* @author Joe Grandja
|
||||
* @since 5.0
|
||||
@ -42,17 +42,6 @@ public final class AuthorizationGrantType implements Serializable {
|
||||
|
||||
public static final AuthorizationGrantType AUTHORIZATION_CODE = new AuthorizationGrantType("authorization_code");
|
||||
|
||||
/**
|
||||
* It is not recommended to use the implicit flow due to the inherent risks of
|
||||
* returning access tokens in an HTTP redirect without any confirmation that it has
|
||||
* been received by the client.
|
||||
*
|
||||
* @see <a target="_blank" href="https://oauth.net/2/grant-types/implicit/">OAuth 2.0
|
||||
* Implicit Grant</a>
|
||||
*/
|
||||
@Deprecated
|
||||
public static final AuthorizationGrantType IMPLICIT = new AuthorizationGrantType("implicit");
|
||||
|
||||
public static final AuthorizationGrantType REFRESH_TOKEN = new AuthorizationGrantType("refresh_token");
|
||||
|
||||
public static final AuthorizationGrantType CLIENT_CREDENTIALS = new AuthorizationGrantType("client_credentials");
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2020 the original author or authors.
|
||||
* Copyright 2002-2022 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@ -41,7 +41,7 @@ import org.springframework.web.util.UriUtils;
|
||||
|
||||
/**
|
||||
* A representation of an OAuth 2.0 Authorization Request for the authorization code grant
|
||||
* type or implicit grant type.
|
||||
* type.
|
||||
*
|
||||
* @author Joe Grandja
|
||||
* @since 5.0
|
||||
@ -50,9 +50,6 @@ import org.springframework.web.util.UriUtils;
|
||||
* @see <a target="_blank" href=
|
||||
* "https://tools.ietf.org/html/rfc6749#section-4.1.1">Section 4.1.1 Authorization Code
|
||||
* Grant Request</a>
|
||||
* @see <a target="_blank" href=
|
||||
* "https://tools.ietf.org/html/rfc6749#section-4.2.1">Section 4.2.1 Implicit Grant
|
||||
* Request</a>
|
||||
*/
|
||||
public final class OAuth2AuthorizationRequest implements Serializable {
|
||||
|
||||
@ -191,20 +188,6 @@ public final class OAuth2AuthorizationRequest implements Serializable {
|
||||
return new Builder(AuthorizationGrantType.AUTHORIZATION_CODE);
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns a new {@link Builder}, initialized with the implicit grant type.
|
||||
* @return the {@link Builder}
|
||||
* @deprecated It is not recommended to use the implicit flow due to the inherent
|
||||
* risks of returning access tokens in an HTTP redirect without any confirmation that
|
||||
* it has been received by the client.
|
||||
* @see <a target="_blank" href="https://oauth.net/2/grant-types/implicit/">OAuth 2.0
|
||||
* Implicit Grant</a>
|
||||
*/
|
||||
@Deprecated
|
||||
public static Builder implicit() {
|
||||
return new Builder(AuthorizationGrantType.IMPLICIT);
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns a new {@link Builder}, initialized with the values from the provided
|
||||
* {@code authorizationRequest}.
|
||||
@ -265,9 +248,6 @@ public final class OAuth2AuthorizationRequest implements Serializable {
|
||||
if (AuthorizationGrantType.AUTHORIZATION_CODE.equals(authorizationGrantType)) {
|
||||
this.responseType = OAuth2AuthorizationResponseType.CODE;
|
||||
}
|
||||
else if (AuthorizationGrantType.IMPLICIT.equals(authorizationGrantType)) {
|
||||
this.responseType = OAuth2AuthorizationResponseType.TOKEN;
|
||||
}
|
||||
this.uriBuilderFactory = new DefaultUriBuilderFactory();
|
||||
// The supplied authorizationUri may contain encoded parameters
|
||||
// so disable encoding in UriBuilder and instead apply encoding within this
|
||||
@ -440,9 +420,6 @@ public final class OAuth2AuthorizationRequest implements Serializable {
|
||||
public OAuth2AuthorizationRequest build() {
|
||||
Assert.hasText(this.authorizationUri, "authorizationUri cannot be empty");
|
||||
Assert.hasText(this.clientId, "clientId cannot be empty");
|
||||
if (AuthorizationGrantType.IMPLICIT.equals(this.authorizationGrantType)) {
|
||||
Assert.hasText(this.redirectUri, "redirectUri cannot be empty");
|
||||
}
|
||||
OAuth2AuthorizationRequest authorizationRequest = new OAuth2AuthorizationRequest();
|
||||
authorizationRequest.authorizationUri = this.authorizationUri;
|
||||
authorizationRequest.authorizationGrantType = this.authorizationGrantType;
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2021 the original author or authors.
|
||||
* Copyright 2002-2022 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@ -23,14 +23,12 @@ import org.springframework.util.Assert;
|
||||
|
||||
/**
|
||||
* The {@code response_type} parameter is consumed by the authorization endpoint which is
|
||||
* used by the authorization code grant type and implicit grant type. The client sets the
|
||||
* {@code response_type} parameter with the desired grant type before initiating the
|
||||
* authorization request.
|
||||
* used by the authorization code grant type. The client sets the {@code response_type}
|
||||
* parameter with the desired grant type before initiating the authorization request.
|
||||
*
|
||||
* <p>
|
||||
* The {@code response_type} parameter value may be one of "code" for requesting
|
||||
* an authorization code or "token" for requesting an access token (implicit
|
||||
* grant).
|
||||
* The {@code response_type} parameter value may be "code" for requesting an
|
||||
* authorization code.
|
||||
*
|
||||
* @author Joe Grandja
|
||||
* @since 5.0
|
||||
@ -43,17 +41,6 @@ public final class OAuth2AuthorizationResponseType implements Serializable {
|
||||
|
||||
public static final OAuth2AuthorizationResponseType CODE = new OAuth2AuthorizationResponseType("code");
|
||||
|
||||
/**
|
||||
* It is not recommended to use the implicit flow due to the inherent risks of
|
||||
* returning access tokens in an HTTP redirect without any confirmation that it has
|
||||
* been received by the client.
|
||||
*
|
||||
* @see <a target="_blank" href="https://oauth.net/2/grant-types/implicit/">OAuth 2.0
|
||||
* Implicit Grant</a>
|
||||
*/
|
||||
@Deprecated
|
||||
public static final OAuth2AuthorizationResponseType TOKEN = new OAuth2AuthorizationResponseType("token");
|
||||
|
||||
private final String value;
|
||||
|
||||
public OAuth2AuthorizationResponseType(String value) {
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2021 the original author or authors.
|
||||
* Copyright 2002-2022 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@ -38,11 +38,6 @@ public class AuthorizationGrantTypeTests {
|
||||
assertThat(AuthorizationGrantType.AUTHORIZATION_CODE.getValue()).isEqualTo("authorization_code");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void getValueWhenImplicitGrantTypeThenReturnImplicit() {
|
||||
assertThat(AuthorizationGrantType.IMPLICIT.getValue()).isEqualTo("implicit");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void getValueWhenRefreshTokenGrantTypeThenReturnRefreshToken() {
|
||||
assertThat(AuthorizationGrantType.REFRESH_TOKEN.getValue()).isEqualTo("refresh_token");
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2020 the original author or authors.
|
||||
* Copyright 2002-2022 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@ -79,20 +79,6 @@ public class OAuth2AuthorizationRequestTests {
|
||||
// @formatter:on
|
||||
}
|
||||
|
||||
@Test
|
||||
public void buildWhenRedirectUriIsNullForImplicitThenThrowIllegalArgumentException() {
|
||||
// @formatter:off
|
||||
assertThatIllegalArgumentException()
|
||||
.isThrownBy(() -> OAuth2AuthorizationRequest.implicit()
|
||||
.authorizationUri(AUTHORIZATION_URI)
|
||||
.clientId(CLIENT_ID)
|
||||
.redirectUri(null)
|
||||
.scopes(SCOPES)
|
||||
.state(STATE).build()
|
||||
);
|
||||
// @formatter:on
|
||||
}
|
||||
|
||||
@Test
|
||||
public void buildWhenRedirectUriIsNullForAuthorizationCodeThenDoesNotThrowAnyException() {
|
||||
// @formatter:off
|
||||
@ -146,21 +132,6 @@ public class OAuth2AuthorizationRequestTests {
|
||||
// @formatter:on
|
||||
}
|
||||
|
||||
@Test
|
||||
public void buildWhenImplicitThenGrantTypeResponseTypeIsSet() {
|
||||
// @formatter:off
|
||||
OAuth2AuthorizationRequest authorizationRequest = OAuth2AuthorizationRequest.implicit()
|
||||
.authorizationUri(AUTHORIZATION_URI)
|
||||
.clientId(CLIENT_ID)
|
||||
.redirectUri(REDIRECT_URI)
|
||||
.scopes(SCOPES)
|
||||
.state(STATE)
|
||||
.build();
|
||||
// @formatter:on
|
||||
assertThat(authorizationRequest.getGrantType()).isEqualTo(AuthorizationGrantType.IMPLICIT);
|
||||
assertThat(authorizationRequest.getResponseType()).isEqualTo(OAuth2AuthorizationResponseType.TOKEN);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void buildWhenAuthorizationCodeThenGrantTypeResponseTypeIsSet() {
|
||||
// @formatter:off
|
||||
@ -208,22 +179,6 @@ public class OAuth2AuthorizationRequestTests {
|
||||
assertThat(authorizationRequest.getAuthorizationRequestUri()).isEqualTo(AUTHORIZATION_URI);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void buildWhenScopesMultiThenSeparatedByEncodedSpace() {
|
||||
// @formatter:off
|
||||
OAuth2AuthorizationRequest authorizationRequest = OAuth2AuthorizationRequest.implicit()
|
||||
.authorizationUri(AUTHORIZATION_URI)
|
||||
.clientId(CLIENT_ID)
|
||||
.redirectUri(REDIRECT_URI)
|
||||
.scopes(SCOPES)
|
||||
.state(STATE)
|
||||
.build();
|
||||
// @formatter:on
|
||||
assertThat(authorizationRequest.getAuthorizationRequestUri())
|
||||
.isEqualTo("https://provider.com/oauth2/authorize?" + "response_type=token&client_id=client-id&"
|
||||
+ "scope=scope1%20scope2&state=state&" + "redirect_uri=https://example.com");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void buildWhenAuthorizationRequestUriSetThenOverridesDefault() {
|
||||
// @formatter:off
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2017 the original author or authors.
|
||||
* Copyright 2002-2022 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@ -32,9 +32,4 @@ public class OAuth2AuthorizationResponseTypeTests {
|
||||
assertThat(OAuth2AuthorizationResponseType.CODE.getValue()).isEqualTo("code");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void getValueWhenResponseTypeTokenThenReturnToken() {
|
||||
assertThat(OAuth2AuthorizationResponseType.TOKEN.getValue()).isEqualTo("token");
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user