diff --git a/samples/boot/oauth2login/src/integration-test/java/sample/OAuth2LoginApplicationTests.java b/samples/boot/oauth2login/src/integration-test/java/sample/OAuth2LoginApplicationTests.java
index 89a0b26b6f..ebb5a08523 100644
--- a/samples/boot/oauth2login/src/integration-test/java/sample/OAuth2LoginApplicationTests.java
+++ b/samples/boot/oauth2login/src/integration-test/java/sample/OAuth2LoginApplicationTests.java
@@ -18,6 +18,7 @@ package sample;
import java.net.URI;
import java.net.URL;
import java.net.URLDecoder;
+import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
@@ -40,6 +41,7 @@ import org.junit.runner.RunWith;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.context.annotation.Bean;
import org.springframework.http.HttpStatus;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
@@ -51,7 +53,9 @@ import org.springframework.security.oauth2.client.registration.ClientRegistratio
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
import org.springframework.security.oauth2.client.userinfo.OAuth2UserRequest;
import org.springframework.security.oauth2.client.userinfo.OAuth2UserService;
+import org.springframework.security.oauth2.client.web.HttpSessionOAuth2AuthorizedClientRepository;
import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter;
+import org.springframework.security.oauth2.client.web.OAuth2AuthorizedClientRepository;
import org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter;
import org.springframework.security.oauth2.core.OAuth2AccessToken;
import org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse;
@@ -61,6 +65,7 @@ import org.springframework.security.oauth2.core.user.DefaultOAuth2User;
import org.springframework.security.oauth2.core.user.OAuth2User;
import org.springframework.security.oauth2.core.user.OAuth2UserAuthority;
import org.springframework.test.context.junit4.SpringRunner;
+import org.springframework.test.web.servlet.MockMvc;
import org.springframework.web.util.UriComponents;
import org.springframework.web.util.UriComponentsBuilder;
@@ -68,6 +73,10 @@ import static org.assertj.core.api.Assertions.assertThat;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.when;
+import static org.springframework.security.oauth2.core.oidc.IdTokenClaimNames.SUB;
+import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.oidcLogin;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.model;
/**
* Integration tests for the OAuth 2.0 client filters {@link OAuth2AuthorizationRequestRedirectFilter}
@@ -87,6 +96,9 @@ public class OAuth2LoginApplicationTests {
@Autowired
private WebClient webClient;
+ @Autowired
+ private MockMvc mvc;
+
@Autowired
private ClientRegistrationRepository clientRegistrationRepository;
@@ -284,6 +296,15 @@ public class OAuth2LoginApplicationTests {
assertThat(errorElement.asText()).contains("invalid_redirect_uri_parameter");
}
+ @Test
+ public void requestWhenMockOidcLoginThenIndex() throws Exception {
+ ClientRegistration clientRegistration = this.clientRegistrationRepository.findByRegistrationId("github");
+ this.mvc.perform(get("/").with(oidcLogin().clientRegistration(clientRegistration)))
+ .andExpect(model().attribute("userName", "test-subject"))
+ .andExpect(model().attribute("clientName", "GitHub"))
+ .andExpect(model().attribute("userAttributes", Collections.singletonMap(SUB, "test-subject")));
+ }
+
private void assertLoginPage(HtmlPage page) {
assertThat(page.getTitleText()).isEqualTo("Please sign in");
@@ -397,5 +418,10 @@ public class OAuth2LoginApplicationTests {
when(userService.loadUser(any())).thenReturn(user);
return userService;
}
+
+ @Bean
+ OAuth2AuthorizedClientRepository authorizedClientRepository() {
+ return new HttpSessionOAuth2AuthorizedClientRepository();
+ }
}
}
diff --git a/samples/boot/oauth2login/src/test/java/sample/web/OAuth2LoginControllerTests.java b/samples/boot/oauth2login/src/test/java/sample/web/OAuth2LoginControllerTests.java
new file mode 100644
index 0000000000..99970efdf8
--- /dev/null
+++ b/samples/boot/oauth2login/src/test/java/sample/web/OAuth2LoginControllerTests.java
@@ -0,0 +1,94 @@
+/*
+ * Copyright 2002-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package sample.web;
+
+import java.util.Collections;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Import;
+import org.springframework.security.oauth2.client.registration.ClientRegistration;
+import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
+import org.springframework.security.oauth2.client.registration.InMemoryClientRegistrationRepository;
+import org.springframework.security.oauth2.client.web.HttpSessionOAuth2AuthorizedClientRepository;
+import org.springframework.security.oauth2.client.web.OAuth2AuthorizedClientRepository;
+import org.springframework.security.oauth2.core.AuthorizationGrantType;
+import org.springframework.test.context.junit4.SpringRunner;
+import org.springframework.test.web.servlet.MockMvc;
+
+import static org.springframework.security.oauth2.core.oidc.IdTokenClaimNames.SUB;
+import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.oidcLogin;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.model;
+
+/**
+ * Tests for {@link OAuth2LoginController}
+ *
+ * @author Josh Cummings
+ */
+@RunWith(SpringRunner.class)
+@WebMvcTest
+@Import({OAuth2LoginController.class, OAuth2LoginControllerTests.OAuth2ClientConfig.class})
+public class OAuth2LoginControllerTests {
+
+ static ClientRegistration clientRegistration = ClientRegistration.withRegistrationId("test")
+ .authorizationGrantType(AuthorizationGrantType.PASSWORD)
+ .clientId("my-client-id")
+ .clientName("my-client-name")
+ .tokenUri("https://token-uri.example.org")
+ .build();
+
+ @Autowired
+ MockMvc mvc;
+
+ @Test
+ public void rootWhenAuthenticatedReturnsUserAndClient() throws Exception {
+ this.mvc.perform(get("/").with(oidcLogin()))
+ .andExpect(model().attribute("userName", "test-subject"))
+ .andExpect(model().attribute("clientName", "test"))
+ .andExpect(model().attribute("userAttributes", Collections.singletonMap(SUB, "test-subject")));
+ }
+
+ @Test
+ public void rootWhenOverridingClientRegistrationReturnsAccordingly() throws Exception {
+ this.mvc.perform(get("/").with(oidcLogin()
+ .clientRegistration(clientRegistration)
+ .idToken(i -> i.subject("spring-security"))))
+ .andExpect(model().attribute("userName", "spring-security"))
+ .andExpect(model().attribute("clientName", "my-client-name"))
+ .andExpect(model().attribute("userAttributes", Collections.singletonMap(SUB, "spring-security")));
+ }
+
+ @Configuration
+ static class OAuth2ClientConfig {
+
+ @Bean
+ ClientRegistrationRepository clientRegistrationRepository() {
+ return new InMemoryClientRegistrationRepository(clientRegistration);
+ }
+
+ @Bean
+ OAuth2AuthorizedClientRepository authorizedClientRepository() {
+ return new HttpSessionOAuth2AuthorizedClientRepository();
+ }
+ }
+}
diff --git a/test/spring-security-test.gradle b/test/spring-security-test.gradle
index 9fbf195f7d..7083de9437 100644
--- a/test/spring-security-test.gradle
+++ b/test/spring-security-test.gradle
@@ -7,6 +7,7 @@ dependencies {
compile 'org.springframework:spring-test'
optional project(':spring-security-config')
+ optional project(':spring-security-oauth2-client')
optional project(':spring-security-oauth2-jose')
optional project(':spring-security-oauth2-resource-server')
optional 'io.projectreactor:reactor-core'
diff --git a/test/src/main/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessors.java b/test/src/main/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessors.java
index 017567930a..ce07e9a330 100644
--- a/test/src/main/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessors.java
+++ b/test/src/main/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessors.java
@@ -25,7 +25,10 @@ import java.util.ArrayList;
import java.util.Arrays;
import java.util.Base64;
import java.util.Collection;
+import java.util.Collections;
+import java.util.LinkedHashSet;
import java.util.List;
+import java.util.Set;
import java.util.function.Consumer;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
@@ -46,6 +49,19 @@ import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
+import org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken;
+import org.springframework.security.oauth2.client.registration.ClientRegistration;
+import org.springframework.security.oauth2.client.web.HttpSessionOAuth2AuthorizedClientRepository;
+import org.springframework.security.oauth2.client.web.OAuth2AuthorizedClientRepository;
+import org.springframework.security.oauth2.core.AuthorizationGrantType;
+import org.springframework.security.oauth2.core.OAuth2AccessToken;
+import org.springframework.security.oauth2.core.oidc.IdTokenClaimNames;
+import org.springframework.security.oauth2.core.oidc.OidcIdToken;
+import org.springframework.security.oauth2.core.oidc.OidcUserInfo;
+import org.springframework.security.oauth2.core.oidc.user.DefaultOidcUser;
+import org.springframework.security.oauth2.core.oidc.user.OidcUser;
+import org.springframework.security.oauth2.core.oidc.user.OidcUserAuthority;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;
import org.springframework.security.oauth2.server.resource.authentication.JwtGrantedAuthoritiesConverter;
@@ -314,6 +330,36 @@ public final class SecurityMockMvcRequestPostProcessors {
return new HttpBasicRequestPostProcessor(username, password);
}
+ /**
+ * Establish a {@link SecurityContext} that has a
+ * {@link OAuth2AuthenticationToken} for the
+ * {@link Authentication} and a {@link OAuth2AuthorizedClient} in
+ * the session. All details are
+ * declarative and do not require associated tokens to be valid.
+ *
+ *
+ * The support works by associating the authentication to the HttpServletRequest. To associate
+ * the request to the SecurityContextHolder you need to ensure that the
+ * SecurityContextPersistenceFilter is associated with the MockMvc instance. A few
+ * ways to do this are:
+ *
+ *
+ *
+ * - Invoking apply {@link SecurityMockMvcConfigurers#springSecurity()}
+ * - Adding Spring Security's FilterChainProxy to MockMvc
+ * - Manually adding {@link SecurityContextPersistenceFilter} to the MockMvc
+ * instance may make sense when using MockMvcBuilders standaloneSetup
+ *
+ *
+ * @return the {@link OidcLoginRequestPostProcessor} for additional customization
+ * @since 5.3
+ */
+ public static OidcLoginRequestPostProcessor oidcLogin() {
+ OAuth2AccessToken accessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER, "access-token",
+ null, null, Collections.singleton("user"));
+ return new OidcLoginRequestPostProcessor(accessToken);
+ }
+
/**
* Populates the X509Certificate instances onto the request
*/
@@ -1024,6 +1070,161 @@ public final class SecurityMockMvcRequestPostProcessors {
}
+ /**
+ * @author Josh Cummings
+ * @since 5.3
+ */
+ public final static class OidcLoginRequestPostProcessor implements RequestPostProcessor {
+ private ClientRegistration clientRegistration;
+ private OAuth2AccessToken accessToken;
+ private OidcIdToken idToken;
+ private OidcUserInfo userInfo;
+ private OidcUser oidcUser;
+ private Collection authorities;
+
+ private OidcLoginRequestPostProcessor(OAuth2AccessToken accessToken) {
+ this.accessToken = accessToken;
+ this.clientRegistration = clientRegistrationBuilder().build();
+ }
+
+ /**
+ * Use the provided authorities in the {@link Authentication}
+ *
+ * @param authorities the authorities to use
+ * @return the {@link OidcLoginRequestPostProcessor} for further configuration
+ */
+ public OidcLoginRequestPostProcessor authorities(Collection authorities) {
+ Assert.notNull(authorities, "authorities cannot be null");
+ this.authorities = authorities;
+ return this;
+ }
+
+ /**
+ * Use the provided authorities in the {@link Authentication}
+ *
+ * @param authorities the authorities to use
+ * @return the {@link OidcLoginRequestPostProcessor} for further configuration
+ */
+ public OidcLoginRequestPostProcessor authorities(GrantedAuthority... authorities) {
+ Assert.notNull(authorities, "authorities cannot be null");
+ this.authorities = Arrays.asList(authorities);
+ return this;
+ }
+
+ /**
+ * Use the provided {@link OidcIdToken} when constructing the authenticated user
+ *
+ * @param idTokenBuilderConsumer a {@link Consumer} of a {@link OidcIdToken.Builder}
+ * @return the {@link OidcLoginRequestPostProcessor} for further configuration
+ */
+ public OidcLoginRequestPostProcessor idToken(Consumer idTokenBuilderConsumer) {
+ OidcIdToken.Builder builder = OidcIdToken.withTokenValue("id-token");
+ builder.subject("test-subject");
+ idTokenBuilderConsumer.accept(builder);
+ this.idToken = builder.build();
+ return this;
+ }
+
+ /**
+ * Use the provided {@link OidcUserInfo} when constructing the authenticated user
+ *
+ * @param userInfoBuilderConsumer a {@link Consumer} of a {@link OidcUserInfo.Builder}
+ * @return the {@link OidcLoginRequestPostProcessor} for further configuration
+ */
+ public OidcLoginRequestPostProcessor userInfoToken(Consumer userInfoBuilderConsumer) {
+ OidcUserInfo.Builder builder = OidcUserInfo.builder();
+ userInfoBuilderConsumer.accept(builder);
+ this.userInfo = builder.build();
+ return this;
+ }
+
+ /**
+ * Use the provided {@link OidcUser} as the authenticated user.
+ *
+ * Supplying an {@link OidcUser} will take precedence over {@link #idToken}, {@link #userInfo},
+ * and list of {@link GrantedAuthority}s to use.
+ *
+ * @param oidcUser the {@link OidcUser} to use
+ * @return the {@link OidcLoginRequestPostProcessor} for further configuration
+ */
+ public OidcLoginRequestPostProcessor oidcUser(OidcUser oidcUser) {
+ this.oidcUser = oidcUser;
+ return this;
+ }
+
+ /**
+ * Use the provided {@link ClientRegistration} as the client to authorize.
+ *
+ * The supplied {@link ClientRegistration} will be registered into an
+ * {@link HttpSessionOAuth2AuthorizedClientRepository}. Tests relying on
+ * {@link org.springframework.security.oauth2.client.annotation.RegisteredOAuth2AuthorizedClient}
+ * annotations should register an {@link HttpSessionOAuth2AuthorizedClientRepository} bean
+ * to the application context.
+ *
+ * The client registration must be a valid {@link ClientRegistration} from the
+ * {@link org.springframework.security.oauth2.client.registration.ClientRegistrationRepository}
+ * in the application context.
+ *
+ * @param clientRegistration the {@link ClientRegistration} to use
+ * @return the {@link OidcLoginRequestPostProcessor} for further configuration
+ */
+ public OidcLoginRequestPostProcessor clientRegistration(ClientRegistration clientRegistration) {
+ this.clientRegistration = clientRegistration;
+ return this;
+ }
+
+ @Override
+ public MockHttpServletRequest postProcessRequest(MockHttpServletRequest request) {
+ OidcUser oidcUser = getOidcUser();
+ OAuth2AuthenticationToken token = new OAuth2AuthenticationToken(oidcUser, oidcUser.getAuthorities(), this.clientRegistration.getRegistrationId());
+ OAuth2AuthorizedClient client = new OAuth2AuthorizedClient(this.clientRegistration, token.getName(), this.accessToken);
+ OAuth2AuthorizedClientRepository authorizedClientRepository = new HttpSessionOAuth2AuthorizedClientRepository();
+ authorizedClientRepository.saveAuthorizedClient(client, token, request, new MockHttpServletResponse());
+
+ return new AuthenticationRequestPostProcessor(token).postProcessRequest(request);
+ }
+
+ private ClientRegistration.Builder clientRegistrationBuilder() {
+ return ClientRegistration.withRegistrationId("test")
+ .authorizationGrantType(AuthorizationGrantType.PASSWORD)
+ .clientId("test-client")
+ .tokenUri("https://token-uri.example.org");
+ }
+
+ private Collection getAuthorities() {
+ if (this.authorities == null) {
+ Set authorities = new LinkedHashSet<>();
+ authorities.add(new OidcUserAuthority(getOidcIdToken(), getOidcUserInfo()));
+ for (String authority : this.accessToken.getScopes()) {
+ authorities.add(new SimpleGrantedAuthority("SCOPE_" + authority));
+ }
+ return authorities;
+ } else {
+ return this.authorities;
+ }
+ }
+
+ private OidcIdToken getOidcIdToken() {
+ if (this.idToken == null) {
+ return new OidcIdToken("id-token", null, null, Collections.singletonMap(IdTokenClaimNames.SUB, "test-subject"));
+ } else {
+ return this.idToken;
+ }
+ }
+
+ private OidcUserInfo getOidcUserInfo() {
+ return this.userInfo;
+ }
+
+ private OidcUser getOidcUser() {
+ if (this.oidcUser == null) {
+ return new DefaultOidcUser(getAuthorities(), getOidcIdToken(), this.userInfo);
+ } else {
+ return this.oidcUser;
+ }
+ }
+ }
+
private SecurityMockMvcRequestPostProcessors() {
}
}
diff --git a/test/src/test/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessorsOidcLoginTests.java b/test/src/test/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessorsOidcLoginTests.java
new file mode 100644
index 0000000000..1034100cc1
--- /dev/null
+++ b/test/src/test/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessorsOidcLoginTests.java
@@ -0,0 +1,195 @@
+/*
+ * Copyright 2002-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.test.web.servlet.request;
+
+import java.util.Collection;
+import java.util.List;
+import java.util.stream.Collectors;
+
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Bean;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.annotation.AuthenticationPrincipal;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
+import org.springframework.security.oauth2.client.annotation.RegisteredOAuth2AuthorizedClient;
+import org.springframework.security.oauth2.client.registration.ClientRegistration;
+import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
+import org.springframework.security.oauth2.client.web.HttpSessionOAuth2AuthorizedClientRepository;
+import org.springframework.security.oauth2.client.web.OAuth2AuthorizedClientRepository;
+import org.springframework.security.oauth2.core.AuthorizationGrantType;
+import org.springframework.security.oauth2.core.oidc.user.OidcUser;
+import org.springframework.security.test.context.TestSecurityContextHolder;
+import org.springframework.test.context.ContextConfiguration;
+import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
+import org.springframework.test.context.web.WebAppConfiguration;
+import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.test.web.servlet.setup.MockMvcBuilders;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.RestController;
+import org.springframework.web.context.WebApplicationContext;
+import org.springframework.web.servlet.config.annotation.EnableWebMvc;
+
+import static org.mockito.ArgumentMatchers.anyString;
+import static org.mockito.Mockito.mock;
+import static org.powermock.api.mockito.PowerMockito.when;
+import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.oidcLogin;
+import static org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers.springSecurity;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
+/**
+ * Tests for {@link SecurityMockMvcRequestPostProcessors#oidcLogin()}
+ *
+ * @author Josh Cummings
+ * @since 5.3
+ */
+@RunWith(SpringJUnit4ClassRunner.class)
+@ContextConfiguration
+@WebAppConfiguration
+public class SecurityMockMvcRequestPostProcessorsOidcLoginTests {
+ @Autowired
+ WebApplicationContext context;
+
+ MockMvc mvc;
+
+ @Before
+ public void setup() {
+ // @formatter:off
+ this.mvc = MockMvcBuilders
+ .webAppContextSetup(this.context)
+ .apply(springSecurity())
+ .build();
+ // @formatter:on
+ }
+
+ @After
+ public void cleanup() {
+ TestSecurityContextHolder.clearContext();
+ }
+
+ @Test
+ public void oidcLoginWhenUsingDefaultsThenProducesDefaultAuthentication()
+ throws Exception {
+
+ this.mvc.perform(get("/name").with(oidcLogin()))
+ .andExpect(content().string("test-subject"));
+ this.mvc.perform(get("/admin/id-token/name").with(oidcLogin()))
+ .andExpect(status().isForbidden());
+ }
+
+ @Test
+ public void oidcLoginWhenUsingDefaultsThenProducesDefaultAuthorizedClient()
+ throws Exception {
+
+ ClientRegistration clientRegistration = ClientRegistration.withRegistrationId("test")
+ .authorizationGrantType(AuthorizationGrantType.PASSWORD)
+ .clientId("test-client")
+ .tokenUri("https://token-uri.example.org")
+ .build();
+ ClientRegistrationRepository repository = this.context.getBean(ClientRegistrationRepository.class);
+ when(repository.findByRegistrationId(anyString())).thenReturn(clientRegistration);
+
+ this.mvc.perform(get("/access-token").with(oidcLogin().clientRegistration(clientRegistration)))
+ .andExpect(content().string("access-token"));
+ }
+
+ @Test
+ public void oidcLoginWhenAuthoritiesSpecifiedThenGrantsAccess() throws Exception {
+ this.mvc.perform(get("/admin/scopes")
+ .with(oidcLogin().authorities(new SimpleGrantedAuthority("SCOPE_admin"))))
+ .andExpect(content().string("[\"SCOPE_admin\"]"));
+ }
+
+ @Test
+ public void oidcLoginWhenIdTokenSpecifiedThenUserHasClaims() throws Exception {
+ this.mvc.perform(get("/id-token/iss")
+ .with(oidcLogin().idToken(i -> i.issuer("https://idp.example.org"))))
+ .andExpect(content().string("https://idp.example.org"));
+ }
+
+ @Test
+ public void oidcLoginWhenUserInfoSpecifiedThenUserHasClaims() throws Exception {
+ this.mvc.perform(get("/user-info/email")
+ .with(oidcLogin().userInfoToken(u -> u.email("email@email"))))
+ .andExpect(content().string("email@email"));
+ }
+
+ @EnableWebSecurity
+ @EnableWebMvc
+ static class OAuth2LoginConfig extends WebSecurityConfigurerAdapter {
+ @Override
+ protected void configure(HttpSecurity http) throws Exception {
+ http
+ .authorizeRequests()
+ .mvcMatchers("/admin/**").hasAuthority("SCOPE_admin")
+ .anyRequest().hasAuthority("SCOPE_user")
+ .and()
+ .oauth2Login();
+ }
+
+ @Bean
+ ClientRegistrationRepository clientRegistrationRepository() {
+ return mock(ClientRegistrationRepository.class);
+ }
+
+
+ @Bean
+ OAuth2AuthorizedClientRepository oAuth2AuthorizedClientRepository() {
+ return new HttpSessionOAuth2AuthorizedClientRepository();
+ }
+
+ @RestController
+ static class PrincipalController {
+ @GetMapping("/name")
+ String name(@AuthenticationPrincipal OidcUser oidcUser) {
+ return oidcUser.getName();
+ }
+
+ @GetMapping("/access-token")
+ String authorizedClient(@RegisteredOAuth2AuthorizedClient OAuth2AuthorizedClient authorizedClient) {
+ return authorizedClient.getAccessToken().getTokenValue();
+ }
+
+ @GetMapping("/id-token/{claim}")
+ String idTokenClaim(@AuthenticationPrincipal OidcUser oidcUser, @PathVariable("claim") String claim) {
+ return oidcUser.getIdToken().getClaim(claim);
+ }
+
+ @GetMapping("/user-info/{claim}")
+ String userInfoClaim(@AuthenticationPrincipal OidcUser oidcUser, @PathVariable("claim") String claim) {
+ return oidcUser.getUserInfo().getClaim(claim);
+ }
+
+ @GetMapping("/admin/scopes")
+ List scopes(@AuthenticationPrincipal(expression = "authorities")
+ Collection authorities) {
+ return authorities.stream().map(GrantedAuthority::getAuthority)
+ .collect(Collectors.toList());
+ }
+ }
+ }
+}