Extract OidcUserRequestUtils
This logic is shared by both reactive and non-reactive clients. Issue: gh-5330
This commit is contained in:
Rob Winch
parent
4d1c8f26c5
commit
adb8c60173
|
|
@ -0,0 +1,70 @@
|
|||
/*
|
||||
* Copyright 2002-2018 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.security.oauth2.client.oidc.userinfo;
|
||||
|
||||
import org.springframework.security.oauth2.client.registration.ClientRegistration;
|
||||
import org.springframework.security.oauth2.core.AuthorizationGrantType;
|
||||
import org.springframework.util.CollectionUtils;
|
||||
import org.springframework.util.StringUtils;
|
||||
|
||||
/**
|
||||
* Utilities for working with the {@link OidcUserRequest}
|
||||
*
|
||||
* @author Rob Winch
|
||||
* @since 5.1
|
||||
*/
|
||||
final class OidcUserRequestUtils {
|
||||
|
||||
/**
|
||||
* Determines if an {@link OidcUserRequest} should attempt to retrieve the user info endpoint. Will return true if
|
||||
* all of the following are true:
|
||||
*
|
||||
* <ul>
|
||||
* <li>The user info endpoint is defined on the ClientRegistration</li>
|
||||
* <li>The Client Registration uses the {@link AuthorizationGrantType#AUTHORIZATION_CODE} and scopes in the
|
||||
* access token are defined in the {@link ClientRegistration}</li>
|
||||
* </ul>
|
||||
* @param userRequest
|
||||
* @return
|
||||
*/
|
||||
static boolean shouldRetrieveUserInfo(OidcUserRequest userRequest) {
|
||||
// Auto-disabled if UserInfo Endpoint URI is not provided
|
||||
ClientRegistration clientRegistration = userRequest.getClientRegistration();
|
||||
if (StringUtils.isEmpty(clientRegistration.getProviderDetails()
|
||||
.getUserInfoEndpoint().getUri())) {
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
// The Claims requested by the profile, email, address, and phone scope values
|
||||
// are returned from the UserInfo Endpoint (as described in Section 5.3.2),
|
||||
// when a response_type value is used that results in an Access Token being issued.
|
||||
// However, when no Access Token is issued, which is the case for the response_type=id_token,
|
||||
// the resulting Claims are returned in the ID Token.
|
||||
// The Authorization Code Grant Flow, which is response_type=code, results in an Access Token being issued.
|
||||
if (AuthorizationGrantType.AUTHORIZATION_CODE.equals(clientRegistration.getAuthorizationGrantType())) {
|
||||
|
||||
// Return true if there is at least one match between the authorized scope(s) and UserInfo scope(s)
|
||||
return CollectionUtils
|
||||
.containsAny(userRequest.getAccessToken().getScopes(), userRequest.getClientRegistration().getScopes());
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
private OidcUserRequestUtils() {}
|
||||
}
|
||||
|
|
@ -0,0 +1,89 @@
|
|||
/*
|
||||
* Copyright 2002-2018 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.security.oauth2.client.oidc.userinfo;
|
||||
|
||||
import org.junit.Test;
|
||||
import org.springframework.security.oauth2.client.registration.ClientRegistration;
|
||||
import org.springframework.security.oauth2.core.AuthorizationGrantType;
|
||||
import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
|
||||
import org.springframework.security.oauth2.core.OAuth2AccessToken;
|
||||
import org.springframework.security.oauth2.core.oidc.IdTokenClaimNames;
|
||||
import org.springframework.security.oauth2.core.oidc.OidcIdToken;
|
||||
|
||||
import java.time.Duration;
|
||||
import java.time.Instant;
|
||||
import java.util.Collections;
|
||||
|
||||
import static org.assertj.core.api.Assertions.*;
|
||||
|
||||
/**
|
||||
* @author Rob Winch
|
||||
* @since 5.1
|
||||
*/
|
||||
public class OidcUserRequestUtilsTests {
|
||||
private ClientRegistration.Builder registration = ClientRegistration.withRegistrationId("id")
|
||||
.clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
|
||||
.authorizationUri("https://example.com/oauth2/authorize")
|
||||
.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
|
||||
.userInfoUri("https://example.com/users/me")
|
||||
.clientId("client-id")
|
||||
.clientName("client-name")
|
||||
.clientSecret("client-secret")
|
||||
.redirectUriTemplate("{baseUrl}/login/oauth2/code/{registrationId}")
|
||||
.scope("user")
|
||||
.tokenUri("https://example.com/oauth/access_token");
|
||||
|
||||
OidcIdToken idToken = new OidcIdToken("token123", Instant.now(),
|
||||
Instant.now().plusSeconds(3600), Collections
|
||||
.singletonMap(IdTokenClaimNames.SUB, "sub123"));
|
||||
|
||||
OAuth2AccessToken accessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER,
|
||||
"token",
|
||||
Instant.now(),
|
||||
Instant.now().plus(Duration.ofDays(1)),
|
||||
Collections.singleton("user"));
|
||||
|
||||
@Test
|
||||
public void shouldRetrieveUserInfoWhenEndpointDefinedAndScopesOverlapThenTrue() {
|
||||
assertThat(OidcUserRequestUtils.shouldRetrieveUserInfo(userRequest())).isTrue();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void shouldRetrieveUserInfoWhenNoUserInfoUriThenFalse() {
|
||||
this.registration.userInfoUri(null);
|
||||
|
||||
assertThat(OidcUserRequestUtils.shouldRetrieveUserInfo(userRequest())).isFalse();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void shouldRetrieveUserInfoWhenDifferentScopesThenFalse() {
|
||||
this.registration.scope("notintoken");
|
||||
|
||||
assertThat(OidcUserRequestUtils.shouldRetrieveUserInfo(userRequest())).isFalse();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void shouldRetrieveUserInfoWhenNotAuthorizationCodeThenFalse() {
|
||||
this.registration.authorizationGrantType(AuthorizationGrantType.IMPLICIT);
|
||||
|
||||
assertThat(OidcUserRequestUtils.shouldRetrieveUserInfo(userRequest())).isFalse();
|
||||
}
|
||||
|
||||
private OidcUserRequest userRequest() {
|
||||
return new OidcUserRequest(this.registration.build(), this.accessToken, this.idToken);
|
||||
}
|
||||
}
|
||||
Loading…
Reference in New Issue