diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/ImplicitGrantConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/ImplicitGrantConfigurer.java deleted file mode 100644 index ac3888e6ee..0000000000 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/ImplicitGrantConfigurer.java +++ /dev/null @@ -1,105 +0,0 @@ -/* - * Copyright 2002-2020 the original author or authors. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * https://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.springframework.security.config.annotation.web.configurers.oauth2.client; - -import org.springframework.security.config.annotation.web.HttpSecurityBuilder; -import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer; -import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository; -import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter; -import org.springframework.util.Assert; - -/** - * An {@link AbstractHttpConfigurer} for the OAuth 2.0 Implicit Grant type. - * - *

Security Filters

- * - * The following {@code Filter}'s are populated: - * - * - * - *

Shared Objects Created

- * - * The following shared objects are populated: - * - * - * - *

Shared Objects Used

- * - * The following shared objects are used: - * - * - * - * @author Joe Grandja - * @since 5.0 - * @see OAuth2AuthorizationRequestRedirectFilter - * @see ClientRegistrationRepository - * @deprecated It is not recommended to use the implicit flow due to the inherent risks of - * returning access tokens in an HTTP redirect without any confirmation that it has been - * received by the client. See reference - * OAuth 2.0 Implicit - * Grant. - */ -@Deprecated -public final class ImplicitGrantConfigurer> - extends AbstractHttpConfigurer, B> { - - private String authorizationRequestBaseUri; - - /** - * Sets the base {@code URI} used for authorization requests. - * @param authorizationRequestBaseUri the base {@code URI} used for authorization - * requests - * @return the {@link ImplicitGrantConfigurer} for further configuration - */ - public ImplicitGrantConfigurer authorizationRequestBaseUri(String authorizationRequestBaseUri) { - Assert.hasText(authorizationRequestBaseUri, "authorizationRequestBaseUri cannot be empty"); - this.authorizationRequestBaseUri = authorizationRequestBaseUri; - return this; - } - - /** - * Sets the repository of client registrations. - * @param clientRegistrationRepository the repository of client registrations - * @return the {@link ImplicitGrantConfigurer} for further configuration - */ - public ImplicitGrantConfigurer clientRegistrationRepository( - ClientRegistrationRepository clientRegistrationRepository) { - Assert.notNull(clientRegistrationRepository, "clientRegistrationRepository cannot be null"); - this.getBuilder().setSharedObject(ClientRegistrationRepository.class, clientRegistrationRepository); - return this; - } - - @Override - public void configure(B http) { - OAuth2AuthorizationRequestRedirectFilter authorizationRequestFilter = new OAuth2AuthorizationRequestRedirectFilter( - OAuth2ClientConfigurerUtils.getClientRegistrationRepository(this.getBuilder()), - this.getAuthorizationRequestBaseUri()); - http.addFilter(this.postProcess(authorizationRequestFilter)); - } - - private String getAuthorizationRequestBaseUri() { - return (this.authorizationRequestBaseUri != null) ? this.authorizationRequestBaseUri - : OAuth2AuthorizationRequestRedirectFilter.DEFAULT_AUTHORIZATION_REQUEST_BASE_URI; - } - -} diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-6.0.rnc b/config/src/main/resources/org/springframework/security/config/spring-security-6.0.rnc index 8ba76147ea..e2c2980ac2 100644 --- a/config/src/main/resources/org/springframework/security/config/spring-security-6.0.rnc +++ b/config/src/main/resources/org/springframework/security/config/spring-security-6.0.rnc @@ -569,8 +569,8 @@ client-registration.attlist &= ## The method used to authenticate the client with the provider. The supported values are client_secret_basic, client_secret_post and none (public clients). attribute client-authentication-method {"client_secret_basic" | "basic" | "client_secret_post" | "post" | "none"}? client-registration.attlist &= - ## The OAuth 2.0 Authorization Framework defines four Authorization Grant types. The supported values are authorization_code, client_credentials, password and implicit. - attribute authorization-grant-type {"authorization_code" | "client_credentials" | "password" | "implicit"}? + ## The OAuth 2.0 Authorization Framework defines four Authorization Grant types. The supported values are authorization_code, client_credentials and password. + attribute authorization-grant-type {"authorization_code" | "client_credentials" | "password"}? client-registration.attlist &= ## The client’s registered redirect URI that the Authorization Server redirects the end-user’s user-agent to after the end-user has authenticated and authorized access to the client. attribute redirect-uri {xsd:token}? diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-6.0.xsd b/config/src/main/resources/org/springframework/security/config/spring-security-6.0.xsd index cb2adffba3..29d13afbac 100644 --- a/config/src/main/resources/org/springframework/security/config/spring-security-6.0.xsd +++ b/config/src/main/resources/org/springframework/security/config/spring-security-6.0.xsd @@ -1792,7 +1792,7 @@ The OAuth 2.0 Authorization Framework defines four Authorization Grant types. The - supported values are authorization_code, client_credentials, password and implicit. + supported values are authorization_code, client_credentials and password. @@ -1800,7 +1800,6 @@ - diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/OAuth2AuthorizationRequestDeserializer.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/OAuth2AuthorizationRequestDeserializer.java index 00e717bb8f..90c81cbef2 100644 --- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/OAuth2AuthorizationRequestDeserializer.java +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/OAuth2AuthorizationRequestDeserializer.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2020 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -72,9 +72,6 @@ final class OAuth2AuthorizationRequestDeserializer extends JsonDeserializer "authorizationGrantType must be " + AuthorizationGrantType.IMPLICIT.getValue()); - Assert.hasText(this.registrationId, "registrationId cannot be empty"); - Assert.hasText(this.clientId, "clientId cannot be empty"); - Assert.hasText(this.redirectUri, "redirectUri cannot be empty"); - Assert.hasText(this.authorizationUri, "authorizationUri cannot be empty"); - } - private void validateClientCredentialsGrantType() { Assert.isTrue(AuthorizationGrantType.CLIENT_CREDENTIALS.equals(this.authorizationGrantType), () -> "authorizationGrantType must be " + AuthorizationGrantType.CLIENT_CREDENTIALS.getValue()); diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/DefaultOAuth2AuthorizationRequestResolver.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/DefaultOAuth2AuthorizationRequestResolver.java index 8e0058f073..7906774001 100644 --- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/DefaultOAuth2AuthorizationRequestResolver.java +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/DefaultOAuth2AuthorizationRequestResolver.java @@ -188,9 +188,6 @@ public final class DefaultOAuth2AuthorizationRequestResolver implements OAuth2Au } return builder; } - if (AuthorizationGrantType.IMPLICIT.equals(clientRegistration.getAuthorizationGrantType())) { - return OAuth2AuthorizationRequest.implicit(); - } throw new IllegalArgumentException( "Invalid Authorization Grant Type (" + clientRegistration.getAuthorizationGrantType().getValue() + ") for Client Registration with Id: " + clientRegistration.getRegistrationId()); diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectFilter.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectFilter.java index 2bf35d43b6..28a6350b94 100644 --- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectFilter.java +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectFilter.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2021 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -39,9 +39,8 @@ import org.springframework.util.Assert; import org.springframework.web.filter.OncePerRequestFilter; /** - * This {@code Filter} initiates the authorization code grant or implicit grant flow by - * redirecting the End-User's user-agent to the Authorization Server's Authorization - * Endpoint. + * This {@code Filter} initiates the authorization code grant flow by redirecting the + * End-User's user-agent to the Authorization Server's Authorization Endpoint. * *

* It builds the OAuth 2.0 Authorization Request, which is used as the redirect @@ -80,11 +79,6 @@ import org.springframework.web.filter.OncePerRequestFilter; * @see Section 4.1.1 Authorization Request * (Authorization Code) - * @see Section - * 4.2 Implicit Grant - * @see Section 4.2.1 Authorization Request - * (Implicit) */ public class OAuth2AuthorizationRequestRedirectFilter extends OncePerRequestFilter { diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/server/DefaultServerOAuth2AuthorizationRequestResolver.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/server/DefaultServerOAuth2AuthorizationRequestResolver.java index b5f557bffe..6df5ca4563 100644 --- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/server/DefaultServerOAuth2AuthorizationRequestResolver.java +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/server/DefaultServerOAuth2AuthorizationRequestResolver.java @@ -201,9 +201,6 @@ public class DefaultServerOAuth2AuthorizationRequestResolver implements ServerOA } return builder; } - if (AuthorizationGrantType.IMPLICIT.equals(clientRegistration.getAuthorizationGrantType())) { - return OAuth2AuthorizationRequest.implicit(); - } throw new IllegalArgumentException( "Invalid Authorization Grant Type (" + clientRegistration.getAuthorizationGrantType().getValue() + ") for Client Registration with Id: " + clientRegistration.getRegistrationId()); diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/server/OAuth2AuthorizationRequestRedirectWebFilter.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/server/OAuth2AuthorizationRequestRedirectWebFilter.java index 1b20821a56..deab87c078 100644 --- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/server/OAuth2AuthorizationRequestRedirectWebFilter.java +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/server/OAuth2AuthorizationRequestRedirectWebFilter.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2019 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -38,9 +38,8 @@ import org.springframework.web.server.WebFilterChain; import org.springframework.web.util.UriComponentsBuilder; /** - * This {@code WebFilter} initiates the authorization code grant or implicit grant flow by - * redirecting the End-User's user-agent to the Authorization Server's Authorization - * Endpoint. + * This {@code WebFilter} initiates the authorization code grant flow by redirecting the + * End-User's user-agent to the Authorization Server's Authorization Endpoint. * *

* It builds the OAuth 2.0 Authorization Request, which is used as the redirect @@ -67,11 +66,6 @@ import org.springframework.web.util.UriComponentsBuilder; * @see Section 4.1.1 Authorization Request * (Authorization Code) - * @see Section - * 4.2 Implicit Grant - * @see Section 4.2.1 Authorization Request - * (Implicit) */ public class OAuth2AuthorizationRequestRedirectWebFilter implements WebFilter { diff --git a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/endpoint/OAuth2ClientCredentialsGrantRequestTests.java b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/endpoint/OAuth2ClientCredentialsGrantRequestTests.java index abffc98849..27b34b0b41 100644 --- a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/endpoint/OAuth2ClientCredentialsGrantRequestTests.java +++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/endpoint/OAuth2ClientCredentialsGrantRequestTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2020 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -54,22 +54,6 @@ public class OAuth2ClientCredentialsGrantRequestTests { assertThatIllegalArgumentException().isThrownBy(() -> new OAuth2ClientCredentialsGrantRequest(null)); } - @Test - public void constructorWhenClientRegistrationInvalidGrantTypeThenThrowIllegalArgumentException() { - // @formatter:off - ClientRegistration clientRegistration = ClientRegistration.withRegistrationId("registration-1") - .clientId("client-1") - .authorizationGrantType(AuthorizationGrantType.IMPLICIT) - .redirectUri("https://localhost:8080/redirect-uri") - .authorizationUri("https://provider.com/oauth2/auth") - .clientName("Client 1") - .build(); - // @formatter:on - assertThatIllegalArgumentException() - .isThrownBy(() -> new OAuth2ClientCredentialsGrantRequest(clientRegistration)).withMessage( - "clientRegistration.authorizationGrantType must be AuthorizationGrantType.CLIENT_CREDENTIALS"); - } - @Test public void constructorWhenValidParametersProvidedThenCreated() { OAuth2ClientCredentialsGrantRequest clientCredentialsGrantRequest = new OAuth2ClientCredentialsGrantRequest( diff --git a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/oidc/userinfo/OidcUserRequestUtilsTests.java b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/oidc/userinfo/OidcUserRequestUtilsTests.java index 32fb23b5c9..353cc4170e 100644 --- a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/oidc/userinfo/OidcUserRequestUtilsTests.java +++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/oidc/userinfo/OidcUserRequestUtilsTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2018 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -63,7 +63,7 @@ public class OidcUserRequestUtilsTests { @Test public void shouldRetrieveUserInfoWhenNotAuthorizationCodeThenFalse() { - this.registration.authorizationGrantType(AuthorizationGrantType.IMPLICIT); + this.registration.authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS); assertThat(OidcUserRequestUtils.shouldRetrieveUserInfo(userRequest())).isFalse(); } diff --git a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/registration/ClientRegistrationTests.java b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/registration/ClientRegistrationTests.java index 5ee2ad432f..73b7855d76 100644 --- a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/registration/ClientRegistrationTests.java +++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/registration/ClientRegistrationTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2020 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -431,129 +431,6 @@ public class ClientRegistrationTests { assertThat(clientRegistration.getProviderDetails().getConfigurationMetadata()).isEmpty(); } - @Test - public void buildWhenImplicitGrantAllAttributesProvidedThenAllAttributesAreSet() { - // @formatter:off - ClientRegistration registration = ClientRegistration.withRegistrationId(REGISTRATION_ID) - .clientId(CLIENT_ID) - .authorizationGrantType(AuthorizationGrantType.IMPLICIT) - .redirectUri(REDIRECT_URI) - .scope(SCOPES.toArray(new String[0])) - .authorizationUri(AUTHORIZATION_URI) - .userInfoAuthenticationMethod(AuthenticationMethod.FORM) - .clientName(CLIENT_NAME) - .build(); - // @formatter:on - assertThat(registration.getRegistrationId()).isEqualTo(REGISTRATION_ID); - assertThat(registration.getClientId()).isEqualTo(CLIENT_ID); - assertThat(registration.getAuthorizationGrantType()).isEqualTo(AuthorizationGrantType.IMPLICIT); - assertThat(registration.getRedirectUri()).isEqualTo(REDIRECT_URI); - assertThat(registration.getScopes()).isEqualTo(SCOPES); - assertThat(registration.getProviderDetails().getAuthorizationUri()).isEqualTo(AUTHORIZATION_URI); - assertThat(registration.getProviderDetails().getUserInfoEndpoint().getAuthenticationMethod()) - .isEqualTo(AuthenticationMethod.FORM); - assertThat(registration.getClientName()).isEqualTo(CLIENT_NAME); - } - - @Test - public void buildWhenImplicitGrantRegistrationIdIsNullThenThrowIllegalArgumentException() { - assertThatIllegalArgumentException().isThrownBy(() -> - // @formatter:off - ClientRegistration.withRegistrationId(null) - .clientId(CLIENT_ID) - .authorizationGrantType(AuthorizationGrantType.IMPLICIT) - .redirectUri(REDIRECT_URI) - .scope(SCOPES.toArray(new String[0])) - .authorizationUri(AUTHORIZATION_URI) - .userInfoAuthenticationMethod(AuthenticationMethod.FORM) - .clientName(CLIENT_NAME) - .build() - // @formatter:on - ); - } - - @Test - public void buildWhenImplicitGrantClientIdIsNullThenThrowIllegalArgumentException() { - assertThatIllegalArgumentException().isThrownBy(() -> - // @formatter:off - ClientRegistration.withRegistrationId(REGISTRATION_ID) - .clientId(null) - .authorizationGrantType(AuthorizationGrantType.IMPLICIT) - .redirectUri(REDIRECT_URI) - .scope(SCOPES.toArray(new String[0])) - .authorizationUri(AUTHORIZATION_URI) - .userInfoAuthenticationMethod(AuthenticationMethod.FORM) - .clientName(CLIENT_NAME) - .build() - // @formatter:on - ); - } - - @Test - public void buildWhenImplicitGrantRedirectUriIsNullThenThrowIllegalArgumentException() { - assertThatIllegalArgumentException().isThrownBy(() -> - // @formatter:off - ClientRegistration.withRegistrationId(REGISTRATION_ID) - .clientId(CLIENT_ID) - .authorizationGrantType(AuthorizationGrantType.IMPLICIT) - .redirectUri(null) - .scope(SCOPES.toArray(new String[0])) - .authorizationUri(AUTHORIZATION_URI) - .userInfoAuthenticationMethod(AuthenticationMethod.FORM) - .clientName(CLIENT_NAME) - .build() - // @formatter:on - ); - } - - // gh-5494 - @Test - public void buildWhenImplicitGrantScopeIsNullThenScopeNotRequired() { - // @formatter:off - ClientRegistration.withRegistrationId(REGISTRATION_ID) - .clientId(CLIENT_ID) - .authorizationGrantType(AuthorizationGrantType.IMPLICIT) - .redirectUri(REDIRECT_URI) - .scope((String[]) null) - .authorizationUri(AUTHORIZATION_URI) - .userInfoAuthenticationMethod(AuthenticationMethod.FORM) - .clientName(CLIENT_NAME) - .build(); - // @formatter:on - } - - @Test - public void buildWhenImplicitGrantAuthorizationUriIsNullThenThrowIllegalArgumentException() { - assertThatIllegalArgumentException().isThrownBy(() -> - // @formatter:off - ClientRegistration.withRegistrationId(REGISTRATION_ID) - .clientId(CLIENT_ID) - .authorizationGrantType(AuthorizationGrantType.IMPLICIT) - .redirectUri(REDIRECT_URI) - .scope(SCOPES.toArray(new String[0])) - .authorizationUri(null) - .userInfoAuthenticationMethod(AuthenticationMethod.FORM) - .clientName(CLIENT_NAME) - .build() - // @formatter:on - ); - } - - @Test - public void buildWhenImplicitGrantClientNameNotProvidedThenDefaultToRegistrationId() { - // @formatter:off - ClientRegistration clientRegistration = ClientRegistration.withRegistrationId(REGISTRATION_ID) - .clientId(CLIENT_ID) - .authorizationGrantType(AuthorizationGrantType.IMPLICIT) - .redirectUri(REDIRECT_URI) - .scope(SCOPES.toArray(new String[0])) - .authorizationUri(AUTHORIZATION_URI) - .userInfoAuthenticationMethod(AuthenticationMethod.FORM) - .build(); - // @formatter:on - assertThat(clientRegistration.getClientName()).isEqualTo(clientRegistration.getRegistrationId()); - } - @Test public void buildWhenOverrideRegistrationIdThenOverridden() { String overriddenId = "override"; diff --git a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectFilterTests.java b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectFilterTests.java index 6684f5510b..c4928dde74 100644 --- a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectFilterTests.java +++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectFilterTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2018 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -37,7 +37,6 @@ import org.springframework.security.oauth2.client.registration.ClientRegistratio import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository; import org.springframework.security.oauth2.client.registration.InMemoryClientRegistrationRepository; import org.springframework.security.oauth2.client.registration.TestClientRegistrations; -import org.springframework.security.oauth2.core.AuthorizationGrantType; import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest; import org.springframework.security.web.savedrequest.RequestCache; import org.springframework.util.ClassUtils; @@ -49,7 +48,6 @@ import static org.mockito.ArgumentMatchers.any; import static org.mockito.BDDMockito.given; import static org.mockito.BDDMockito.willThrow; import static org.mockito.Mockito.mock; -import static org.mockito.Mockito.times; import static org.mockito.Mockito.verify; import static org.mockito.Mockito.verifyZeroInteractions; @@ -64,8 +62,6 @@ public class OAuth2AuthorizationRequestRedirectFilterTests { private ClientRegistration registration2; - private ClientRegistration registration3; - private ClientRegistrationRepository clientRegistrationRepository; private OAuth2AuthorizationRequestRedirectFilter filter; @@ -76,15 +72,8 @@ public class OAuth2AuthorizationRequestRedirectFilterTests { public void setUp() { this.registration1 = TestClientRegistrations.clientRegistration().build(); this.registration2 = TestClientRegistrations.clientRegistration2().build(); - // @formatter:off - this.registration3 = TestClientRegistrations.clientRegistration() - .registrationId("registration-3") - .authorizationGrantType(AuthorizationGrantType.IMPLICIT) - .redirectUri("{baseUrl}/authorize/oauth2/implicit/{registrationId}") - .build(); - // @formatter:on this.clientRegistrationRepository = new InMemoryClientRegistrationRepository(this.registration1, - this.registration2, this.registration3); + this.registration2); this.filter = new OAuth2AuthorizationRequestRedirectFilter(this.clientRegistrationRepository); this.requestCache = mock(RequestCache.class); this.filter.setRequestCache(this.requestCache); @@ -177,38 +166,6 @@ public class OAuth2AuthorizationRequestRedirectFilterTests { any(HttpServletRequest.class), any(HttpServletResponse.class)); } - @Test - public void doFilterWhenAuthorizationRequestImplicitGrantThenRedirectForAuthorization() throws Exception { - String requestUri = OAuth2AuthorizationRequestRedirectFilter.DEFAULT_AUTHORIZATION_REQUEST_BASE_URI + "/" - + this.registration3.getRegistrationId(); - MockHttpServletRequest request = new MockHttpServletRequest("GET", requestUri); - request.setServletPath(requestUri); - MockHttpServletResponse response = new MockHttpServletResponse(); - FilterChain filterChain = mock(FilterChain.class); - this.filter.doFilter(request, response, filterChain); - verifyZeroInteractions(filterChain); - assertThat(response.getRedirectedUrl()).matches("https://example.com/login/oauth/authorize\\?" - + "response_type=token&client_id=client-id&" + "scope=read:user&state=.{15,}&" - + "redirect_uri=http://localhost/authorize/oauth2/implicit/registration-3"); - } - - @Test - public void doFilterWhenAuthorizationRequestImplicitGrantThenAuthorizationRequestNotSaved() throws Exception { - String requestUri = OAuth2AuthorizationRequestRedirectFilter.DEFAULT_AUTHORIZATION_REQUEST_BASE_URI + "/" - + this.registration3.getRegistrationId(); - MockHttpServletRequest request = new MockHttpServletRequest("GET", requestUri); - request.setServletPath(requestUri); - MockHttpServletResponse response = new MockHttpServletResponse(); - FilterChain filterChain = mock(FilterChain.class); - AuthorizationRequestRepository authorizationRequestRepository = mock( - AuthorizationRequestRepository.class); - this.filter.setAuthorizationRequestRepository(authorizationRequestRepository); - this.filter.doFilter(request, response, filterChain); - verifyZeroInteractions(filterChain); - verify(authorizationRequestRepository, times(0)).saveAuthorizationRequest(any(OAuth2AuthorizationRequest.class), - any(HttpServletRequest.class), any(HttpServletResponse.class)); - } - @Test public void doFilterWhenCustomAuthorizationRequestBaseUriThenRedirectForAuthorization() throws Exception { String authorizationRequestBaseUri = "/custom/authorization"; diff --git a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/AuthorizationGrantType.java b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/AuthorizationGrantType.java index 755b53822b..25e233c067 100644 --- a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/AuthorizationGrantType.java +++ b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/AuthorizationGrantType.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2021 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -28,8 +28,8 @@ import org.springframework.util.Assert; * *

* The OAuth 2.0 Authorization Framework defines four standard grant types: authorization - * code, implicit, resource owner password credentials, and client credentials. It also - * provides an extensibility mechanism for defining additional grant types. + * code, resource owner password credentials, and client credentials. It also provides an + * extensibility mechanism for defining additional grant types. * * @author Joe Grandja * @since 5.0 @@ -42,17 +42,6 @@ public final class AuthorizationGrantType implements Serializable { public static final AuthorizationGrantType AUTHORIZATION_CODE = new AuthorizationGrantType("authorization_code"); - /** - * It is not recommended to use the implicit flow due to the inherent risks of - * returning access tokens in an HTTP redirect without any confirmation that it has - * been received by the client. - * - * @see OAuth 2.0 - * Implicit Grant - */ - @Deprecated - public static final AuthorizationGrantType IMPLICIT = new AuthorizationGrantType("implicit"); - public static final AuthorizationGrantType REFRESH_TOKEN = new AuthorizationGrantType("refresh_token"); public static final AuthorizationGrantType CLIENT_CREDENTIALS = new AuthorizationGrantType("client_credentials"); diff --git a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/endpoint/OAuth2AuthorizationRequest.java b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/endpoint/OAuth2AuthorizationRequest.java index 9809ea6c1f..8522af771c 100644 --- a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/endpoint/OAuth2AuthorizationRequest.java +++ b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/endpoint/OAuth2AuthorizationRequest.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2020 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -41,7 +41,7 @@ import org.springframework.web.util.UriUtils; /** * A representation of an OAuth 2.0 Authorization Request for the authorization code grant - * type or implicit grant type. + * type. * * @author Joe Grandja * @since 5.0 @@ -50,9 +50,6 @@ import org.springframework.web.util.UriUtils; * @see Section 4.1.1 Authorization Code * Grant Request - * @see Section 4.2.1 Implicit Grant - * Request */ public final class OAuth2AuthorizationRequest implements Serializable { @@ -191,20 +188,6 @@ public final class OAuth2AuthorizationRequest implements Serializable { return new Builder(AuthorizationGrantType.AUTHORIZATION_CODE); } - /** - * Returns a new {@link Builder}, initialized with the implicit grant type. - * @return the {@link Builder} - * @deprecated It is not recommended to use the implicit flow due to the inherent - * risks of returning access tokens in an HTTP redirect without any confirmation that - * it has been received by the client. - * @see OAuth 2.0 - * Implicit Grant - */ - @Deprecated - public static Builder implicit() { - return new Builder(AuthorizationGrantType.IMPLICIT); - } - /** * Returns a new {@link Builder}, initialized with the values from the provided * {@code authorizationRequest}. @@ -265,9 +248,6 @@ public final class OAuth2AuthorizationRequest implements Serializable { if (AuthorizationGrantType.AUTHORIZATION_CODE.equals(authorizationGrantType)) { this.responseType = OAuth2AuthorizationResponseType.CODE; } - else if (AuthorizationGrantType.IMPLICIT.equals(authorizationGrantType)) { - this.responseType = OAuth2AuthorizationResponseType.TOKEN; - } this.uriBuilderFactory = new DefaultUriBuilderFactory(); // The supplied authorizationUri may contain encoded parameters // so disable encoding in UriBuilder and instead apply encoding within this @@ -440,9 +420,6 @@ public final class OAuth2AuthorizationRequest implements Serializable { public OAuth2AuthorizationRequest build() { Assert.hasText(this.authorizationUri, "authorizationUri cannot be empty"); Assert.hasText(this.clientId, "clientId cannot be empty"); - if (AuthorizationGrantType.IMPLICIT.equals(this.authorizationGrantType)) { - Assert.hasText(this.redirectUri, "redirectUri cannot be empty"); - } OAuth2AuthorizationRequest authorizationRequest = new OAuth2AuthorizationRequest(); authorizationRequest.authorizationUri = this.authorizationUri; authorizationRequest.authorizationGrantType = this.authorizationGrantType; diff --git a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/endpoint/OAuth2AuthorizationResponseType.java b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/endpoint/OAuth2AuthorizationResponseType.java index 5bf21389db..9efaafafa9 100644 --- a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/endpoint/OAuth2AuthorizationResponseType.java +++ b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/endpoint/OAuth2AuthorizationResponseType.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2021 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -23,14 +23,12 @@ import org.springframework.util.Assert; /** * The {@code response_type} parameter is consumed by the authorization endpoint which is - * used by the authorization code grant type and implicit grant type. The client sets the - * {@code response_type} parameter with the desired grant type before initiating the - * authorization request. + * used by the authorization code grant type. The client sets the {@code response_type} + * parameter with the desired grant type before initiating the authorization request. * *

- * The {@code response_type} parameter value may be one of "code" for requesting - * an authorization code or "token" for requesting an access token (implicit - * grant). + * The {@code response_type} parameter value may be "code" for requesting an + * authorization code. * * @author Joe Grandja * @since 5.0 @@ -43,17 +41,6 @@ public final class OAuth2AuthorizationResponseType implements Serializable { public static final OAuth2AuthorizationResponseType CODE = new OAuth2AuthorizationResponseType("code"); - /** - * It is not recommended to use the implicit flow due to the inherent risks of - * returning access tokens in an HTTP redirect without any confirmation that it has - * been received by the client. - * - * @see OAuth 2.0 - * Implicit Grant - */ - @Deprecated - public static final OAuth2AuthorizationResponseType TOKEN = new OAuth2AuthorizationResponseType("token"); - private final String value; public OAuth2AuthorizationResponseType(String value) { diff --git a/oauth2/oauth2-core/src/test/java/org/springframework/security/oauth2/core/AuthorizationGrantTypeTests.java b/oauth2/oauth2-core/src/test/java/org/springframework/security/oauth2/core/AuthorizationGrantTypeTests.java index dfbeb1c7d9..101224f743 100644 --- a/oauth2/oauth2-core/src/test/java/org/springframework/security/oauth2/core/AuthorizationGrantTypeTests.java +++ b/oauth2/oauth2-core/src/test/java/org/springframework/security/oauth2/core/AuthorizationGrantTypeTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2021 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -38,11 +38,6 @@ public class AuthorizationGrantTypeTests { assertThat(AuthorizationGrantType.AUTHORIZATION_CODE.getValue()).isEqualTo("authorization_code"); } - @Test - public void getValueWhenImplicitGrantTypeThenReturnImplicit() { - assertThat(AuthorizationGrantType.IMPLICIT.getValue()).isEqualTo("implicit"); - } - @Test public void getValueWhenRefreshTokenGrantTypeThenReturnRefreshToken() { assertThat(AuthorizationGrantType.REFRESH_TOKEN.getValue()).isEqualTo("refresh_token"); diff --git a/oauth2/oauth2-core/src/test/java/org/springframework/security/oauth2/core/endpoint/OAuth2AuthorizationRequestTests.java b/oauth2/oauth2-core/src/test/java/org/springframework/security/oauth2/core/endpoint/OAuth2AuthorizationRequestTests.java index 0101ecae59..83e130a2cf 100644 --- a/oauth2/oauth2-core/src/test/java/org/springframework/security/oauth2/core/endpoint/OAuth2AuthorizationRequestTests.java +++ b/oauth2/oauth2-core/src/test/java/org/springframework/security/oauth2/core/endpoint/OAuth2AuthorizationRequestTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2020 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -79,20 +79,6 @@ public class OAuth2AuthorizationRequestTests { // @formatter:on } - @Test - public void buildWhenRedirectUriIsNullForImplicitThenThrowIllegalArgumentException() { - // @formatter:off - assertThatIllegalArgumentException() - .isThrownBy(() -> OAuth2AuthorizationRequest.implicit() - .authorizationUri(AUTHORIZATION_URI) - .clientId(CLIENT_ID) - .redirectUri(null) - .scopes(SCOPES) - .state(STATE).build() - ); - // @formatter:on - } - @Test public void buildWhenRedirectUriIsNullForAuthorizationCodeThenDoesNotThrowAnyException() { // @formatter:off @@ -146,21 +132,6 @@ public class OAuth2AuthorizationRequestTests { // @formatter:on } - @Test - public void buildWhenImplicitThenGrantTypeResponseTypeIsSet() { - // @formatter:off - OAuth2AuthorizationRequest authorizationRequest = OAuth2AuthorizationRequest.implicit() - .authorizationUri(AUTHORIZATION_URI) - .clientId(CLIENT_ID) - .redirectUri(REDIRECT_URI) - .scopes(SCOPES) - .state(STATE) - .build(); - // @formatter:on - assertThat(authorizationRequest.getGrantType()).isEqualTo(AuthorizationGrantType.IMPLICIT); - assertThat(authorizationRequest.getResponseType()).isEqualTo(OAuth2AuthorizationResponseType.TOKEN); - } - @Test public void buildWhenAuthorizationCodeThenGrantTypeResponseTypeIsSet() { // @formatter:off @@ -208,22 +179,6 @@ public class OAuth2AuthorizationRequestTests { assertThat(authorizationRequest.getAuthorizationRequestUri()).isEqualTo(AUTHORIZATION_URI); } - @Test - public void buildWhenScopesMultiThenSeparatedByEncodedSpace() { - // @formatter:off - OAuth2AuthorizationRequest authorizationRequest = OAuth2AuthorizationRequest.implicit() - .authorizationUri(AUTHORIZATION_URI) - .clientId(CLIENT_ID) - .redirectUri(REDIRECT_URI) - .scopes(SCOPES) - .state(STATE) - .build(); - // @formatter:on - assertThat(authorizationRequest.getAuthorizationRequestUri()) - .isEqualTo("https://provider.com/oauth2/authorize?" + "response_type=token&client_id=client-id&" - + "scope=scope1%20scope2&state=state&" + "redirect_uri=https://example.com"); - } - @Test public void buildWhenAuthorizationRequestUriSetThenOverridesDefault() { // @formatter:off diff --git a/oauth2/oauth2-core/src/test/java/org/springframework/security/oauth2/core/endpoint/OAuth2AuthorizationResponseTypeTests.java b/oauth2/oauth2-core/src/test/java/org/springframework/security/oauth2/core/endpoint/OAuth2AuthorizationResponseTypeTests.java index 0f8371d0cb..3e60ae8168 100644 --- a/oauth2/oauth2-core/src/test/java/org/springframework/security/oauth2/core/endpoint/OAuth2AuthorizationResponseTypeTests.java +++ b/oauth2/oauth2-core/src/test/java/org/springframework/security/oauth2/core/endpoint/OAuth2AuthorizationResponseTypeTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2017 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -32,9 +32,4 @@ public class OAuth2AuthorizationResponseTypeTests { assertThat(OAuth2AuthorizationResponseType.CODE.getValue()).isEqualTo("code"); } - @Test - public void getValueWhenResponseTypeTokenThenReturnToken() { - assertThat(OAuth2AuthorizationResponseType.TOKEN.getValue()).isEqualTo("token"); - } - }