Add oidcLogin MockMvc Test Support

Fixes gh-7618

samples/boot/oauth2login/src/integration-test/java/sample/OAuth2LoginApplicationTests.java

@@ -18,6 +18,7 @@ package sample;
 import java.net.URI;
 import java.net.URL;
 import java.net.URLDecoder;
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
@@ -40,6 +41,7 @@ import org.junit.runner.RunWith;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
 import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.context.annotation.Bean;
 import org.springframework.http.HttpStatus;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
@@ -51,7 +53,9 @@ import org.springframework.security.oauth2.client.registration.ClientRegistratio
 import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
 import org.springframework.security.oauth2.client.userinfo.OAuth2UserRequest;
 import org.springframework.security.oauth2.client.userinfo.OAuth2UserService;
+import org.springframework.security.oauth2.client.web.HttpSessionOAuth2AuthorizedClientRepository;
 import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter;
+import org.springframework.security.oauth2.client.web.OAuth2AuthorizedClientRepository;
 import org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter;
 import org.springframework.security.oauth2.core.OAuth2AccessToken;
 import org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse;
@@ -61,6 +65,7 @@ import org.springframework.security.oauth2.core.user.DefaultOAuth2User;
 import org.springframework.security.oauth2.core.user.OAuth2User;
 import org.springframework.security.oauth2.core.user.OAuth2UserAuthority;
 import org.springframework.test.context.junit4.SpringRunner;
+import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.web.util.UriComponents;
 import org.springframework.web.util.UriComponentsBuilder;
 
@@ -68,6 +73,10 @@ import static org.assertj.core.api.Assertions.assertThat;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
+import static org.springframework.security.oauth2.core.oidc.IdTokenClaimNames.SUB;
+import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.oidcLogin;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.model;
 
 /**
  * Integration tests for the OAuth 2.0 client filters {@link OAuth2AuthorizationRequestRedirectFilter}
@@ -87,6 +96,9 @@ public class OAuth2LoginApplicationTests {
 	@Autowired
 	private WebClient webClient;
 
+	@Autowired
+	private MockMvc mvc;
+
 	@Autowired
 	private ClientRegistrationRepository clientRegistrationRepository;
 
@@ -284,6 +296,15 @@ public class OAuth2LoginApplicationTests {
 		assertThat(errorElement.asText()).contains("invalid_redirect_uri_parameter");
 	}
 
+	@Test
+	public void requestWhenMockOidcLoginThenIndex() throws Exception {
+		ClientRegistration clientRegistration = this.clientRegistrationRepository.findByRegistrationId("github");
+		this.mvc.perform(get("/").with(oidcLogin().clientRegistration(clientRegistration)))
+				.andExpect(model().attribute("userName", "test-subject"))
+				.andExpect(model().attribute("clientName", "GitHub"))
+				.andExpect(model().attribute("userAttributes", Collections.singletonMap(SUB, "test-subject")));
+	}
+
 	private void assertLoginPage(HtmlPage page) {
 		assertThat(page.getTitleText()).isEqualTo("Please sign in");
 
@@ -397,5 +418,10 @@ public class OAuth2LoginApplicationTests {
 			when(userService.loadUser(any())).thenReturn(user);
 			return userService;
 		}
+
+		@Bean
+		OAuth2AuthorizedClientRepository authorizedClientRepository() {
+			return new HttpSessionOAuth2AuthorizedClientRepository();
+		}
 	}
 }

samples/boot/oauth2login/src/test/java/sample/web/OAuth2LoginControllerTests.java

@@ -0,0 +1,94 @@
+/*
+ * Copyright 2002-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package sample.web;
+
+import java.util.Collections;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Import;
+import org.springframework.security.oauth2.client.registration.ClientRegistration;
+import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
+import org.springframework.security.oauth2.client.registration.InMemoryClientRegistrationRepository;
+import org.springframework.security.oauth2.client.web.HttpSessionOAuth2AuthorizedClientRepository;
+import org.springframework.security.oauth2.client.web.OAuth2AuthorizedClientRepository;
+import org.springframework.security.oauth2.core.AuthorizationGrantType;
+import org.springframework.test.context.junit4.SpringRunner;
+import org.springframework.test.web.servlet.MockMvc;
+
+import static org.springframework.security.oauth2.core.oidc.IdTokenClaimNames.SUB;
+import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.oidcLogin;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.model;
+
+/**
+ * Tests for {@link OAuth2LoginController}
+ *
+ * @author Josh Cummings
+ */
+@RunWith(SpringRunner.class)
+@WebMvcTest
+@Import({OAuth2LoginController.class, OAuth2LoginControllerTests.OAuth2ClientConfig.class})
+public class OAuth2LoginControllerTests {
+
+	static ClientRegistration clientRegistration = ClientRegistration.withRegistrationId("test")
+			.authorizationGrantType(AuthorizationGrantType.PASSWORD)
+			.clientId("my-client-id")
+			.clientName("my-client-name")
+			.tokenUri("https://token-uri.example.org")
+			.build();
+
+	@Autowired
+	MockMvc mvc;
+
+	@Test
+	public void rootWhenAuthenticatedReturnsUserAndClient() throws Exception {
+		this.mvc.perform(get("/").with(oidcLogin()))
+			.andExpect(model().attribute("userName", "test-subject"))
+			.andExpect(model().attribute("clientName", "test"))
+			.andExpect(model().attribute("userAttributes", Collections.singletonMap(SUB, "test-subject")));
+	}
+
+	@Test
+	public void rootWhenOverridingClientRegistrationReturnsAccordingly() throws Exception {
+		this.mvc.perform(get("/").with(oidcLogin()
+				.clientRegistration(clientRegistration)
+				.idToken(i -> i.subject("spring-security"))))
+				.andExpect(model().attribute("userName", "spring-security"))
+				.andExpect(model().attribute("clientName", "my-client-name"))
+				.andExpect(model().attribute("userAttributes", Collections.singletonMap(SUB, "spring-security")));
+	}
+
+	@Configuration
+	static class OAuth2ClientConfig {
+
+		@Bean
+		ClientRegistrationRepository clientRegistrationRepository() {
+			return new InMemoryClientRegistrationRepository(clientRegistration);
+		}
+
+		@Bean
+		OAuth2AuthorizedClientRepository authorizedClientRepository() {
+			return new HttpSessionOAuth2AuthorizedClientRepository();
+		}
+	}
+}

test/spring-security-test.gradle

@@ -7,6 +7,7 @@ dependencies {
 	compile 'org.springframework:spring-test'
 
 	optional project(':spring-security-config')
+	optional project(':spring-security-oauth2-client')
 	optional project(':spring-security-oauth2-jose')
 	optional project(':spring-security-oauth2-resource-server')
 	optional 'io.projectreactor:reactor-core'

test/src/main/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessors.java

@@ -25,7 +25,10 @@ import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Base64;
 import java.util.Collection;
+import java.util.Collections;
+import java.util.LinkedHashSet;
 import java.util.List;
+import java.util.Set;
 import java.util.function.Consumer;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
@@ -46,6 +49,19 @@ import org.springframework.security.core.context.SecurityContext;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
+import org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken;
+import org.springframework.security.oauth2.client.registration.ClientRegistration;
+import org.springframework.security.oauth2.client.web.HttpSessionOAuth2AuthorizedClientRepository;
+import org.springframework.security.oauth2.client.web.OAuth2AuthorizedClientRepository;
+import org.springframework.security.oauth2.core.AuthorizationGrantType;
+import org.springframework.security.oauth2.core.OAuth2AccessToken;
+import org.springframework.security.oauth2.core.oidc.IdTokenClaimNames;
+import org.springframework.security.oauth2.core.oidc.OidcIdToken;
+import org.springframework.security.oauth2.core.oidc.OidcUserInfo;
+import org.springframework.security.oauth2.core.oidc.user.DefaultOidcUser;
+import org.springframework.security.oauth2.core.oidc.user.OidcUser;
+import org.springframework.security.oauth2.core.oidc.user.OidcUserAuthority;
 import org.springframework.security.oauth2.jwt.Jwt;
 import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;
 import org.springframework.security.oauth2.server.resource.authentication.JwtGrantedAuthoritiesConverter;
@@ -314,6 +330,36 @@ public final class SecurityMockMvcRequestPostProcessors {
 		return new HttpBasicRequestPostProcessor(username, password);
 	}
 
+	/**
+	 * Establish a {@link SecurityContext} that has a
+	 * {@link OAuth2AuthenticationToken} for the
+	 * {@link Authentication} and a {@link OAuth2AuthorizedClient} in
+	 * the session. All details are
+	 * declarative and do not require associated tokens to be valid.
+	 *
+	 * <p>
+	 * The support works by associating the authentication to the HttpServletRequest. To associate
+	 * the request to the SecurityContextHolder you need to ensure that the
+	 * SecurityContextPersistenceFilter is associated with the MockMvc instance. A few
+	 * ways to do this are:
+	 * </p>
+	 *
+	 * <ul>
+	 * <li>Invoking apply {@link SecurityMockMvcConfigurers#springSecurity()}</li>
+	 * <li>Adding Spring Security's FilterChainProxy to MockMvc</li>
+	 * <li>Manually adding {@link SecurityContextPersistenceFilter} to the MockMvc
+	 * instance may make sense when using MockMvcBuilders standaloneSetup</li>
+	 * </ul>
+	 *
+	 * @return the {@link OidcLoginRequestPostProcessor} for additional customization
+	 * @since 5.3
+	 */
+	public static OidcLoginRequestPostProcessor oidcLogin() {
+		OAuth2AccessToken accessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER, "access-token",
+				null, null, Collections.singleton("user"));
+		return new OidcLoginRequestPostProcessor(accessToken);
+	}
+
 	/**
 	 * Populates the X509Certificate instances onto the request
 	 */
@@ -1024,6 +1070,161 @@ public final class SecurityMockMvcRequestPostProcessors {
 
 	}
 
+	/**
+	 * @author Josh Cummings
+	 * @since 5.3
+	 */
+	public final static class OidcLoginRequestPostProcessor implements RequestPostProcessor {
+		private ClientRegistration clientRegistration;
+		private OAuth2AccessToken accessToken;
+		private OidcIdToken idToken;
+		private OidcUserInfo userInfo;
+		private OidcUser oidcUser;
+		private Collection<GrantedAuthority> authorities;
+
+		private OidcLoginRequestPostProcessor(OAuth2AccessToken accessToken) {
+			this.accessToken = accessToken;
+			this.clientRegistration = clientRegistrationBuilder().build();
+		}
+
+		/**
+		 * Use the provided authorities in the {@link Authentication}
+		 *
+		 * @param authorities the authorities to use
+		 * @return the {@link OidcLoginRequestPostProcessor} for further configuration
+		 */
+		public OidcLoginRequestPostProcessor authorities(Collection<GrantedAuthority> authorities) {
+			Assert.notNull(authorities, "authorities cannot be null");
+			this.authorities = authorities;
+			return this;
+		}
+
+		/**
+		 * Use the provided authorities in the {@link Authentication}
+		 *
+		 * @param authorities the authorities to use
+		 * @return the {@link OidcLoginRequestPostProcessor} for further configuration
+		 */
+		public OidcLoginRequestPostProcessor authorities(GrantedAuthority... authorities) {
+			Assert.notNull(authorities, "authorities cannot be null");
+			this.authorities = Arrays.asList(authorities);
+			return this;
+		}
+
+		/**
+		 * Use the provided {@link OidcIdToken} when constructing the authenticated user
+		 *
+		 * @param idTokenBuilderConsumer a {@link Consumer} of a {@link OidcIdToken.Builder}
+		 * @return the {@link OidcLoginRequestPostProcessor} for further configuration
+		 */
+		public OidcLoginRequestPostProcessor idToken(Consumer<OidcIdToken.Builder> idTokenBuilderConsumer) {
+			OidcIdToken.Builder builder = OidcIdToken.withTokenValue("id-token");
+			builder.subject("test-subject");
+			idTokenBuilderConsumer.accept(builder);
+			this.idToken = builder.build();
+			return this;
+		}
+
+		/**
+		 * Use the provided {@link OidcUserInfo} when constructing the authenticated user
+		 *
+		 * @param userInfoBuilderConsumer a {@link Consumer} of a {@link OidcUserInfo.Builder}
+		 * @return the {@link OidcLoginRequestPostProcessor} for further configuration
+		 */
+		public OidcLoginRequestPostProcessor userInfoToken(Consumer<OidcUserInfo.Builder> userInfoBuilderConsumer) {
+			OidcUserInfo.Builder builder = OidcUserInfo.builder();
+			userInfoBuilderConsumer.accept(builder);
+			this.userInfo = builder.build();
+			return this;
+		}
+
+		/**
+		 * Use the provided {@link OidcUser} as the authenticated user.
+		 *
+		 * Supplying an {@link OidcUser} will take precedence over {@link #idToken}, {@link #userInfo},
+		 * and list of {@link GrantedAuthority}s to use.
+		 *
+		 * @param oidcUser the {@link OidcUser} to use
+		 * @return the {@link OidcLoginRequestPostProcessor} for further configuration
+		 */
+		public OidcLoginRequestPostProcessor oidcUser(OidcUser oidcUser) {
+			this.oidcUser = oidcUser;
+			return this;
+		}
+
+		/**
+		 * Use the provided {@link ClientRegistration} as the client to authorize.
+		 *
+		 * The supplied {@link ClientRegistration} will be registered into an
+		 * {@link HttpSessionOAuth2AuthorizedClientRepository}. Tests relying on
+		 * {@link org.springframework.security.oauth2.client.annotation.RegisteredOAuth2AuthorizedClient}
+		 * annotations should register an {@link HttpSessionOAuth2AuthorizedClientRepository} bean
+		 * to the application context.
+		 *
+		 * The client registration must be a valid {@link ClientRegistration} from the
+		 * {@link org.springframework.security.oauth2.client.registration.ClientRegistrationRepository}
+		 * in the application context.
+		 *
+		 * @param clientRegistration the {@link ClientRegistration} to use
+		 * @return the {@link OidcLoginRequestPostProcessor} for further configuration
+		 */
+		public OidcLoginRequestPostProcessor clientRegistration(ClientRegistration clientRegistration) {
+			this.clientRegistration = clientRegistration;
+			return this;
+		}
+
+		@Override
+		public MockHttpServletRequest postProcessRequest(MockHttpServletRequest request) {
+			OidcUser oidcUser = getOidcUser();
+			OAuth2AuthenticationToken token = new OAuth2AuthenticationToken(oidcUser, oidcUser.getAuthorities(), this.clientRegistration.getRegistrationId());
+			OAuth2AuthorizedClient client = new OAuth2AuthorizedClient(this.clientRegistration, token.getName(), this.accessToken);
+			OAuth2AuthorizedClientRepository authorizedClientRepository = new HttpSessionOAuth2AuthorizedClientRepository();
+			authorizedClientRepository.saveAuthorizedClient(client, token, request, new MockHttpServletResponse());
+
+			return new AuthenticationRequestPostProcessor(token).postProcessRequest(request);
+		}
+
+		private ClientRegistration.Builder clientRegistrationBuilder() {
+			return ClientRegistration.withRegistrationId("test")
+					.authorizationGrantType(AuthorizationGrantType.PASSWORD)
+					.clientId("test-client")
+					.tokenUri("https://token-uri.example.org");
+		}
+
+		private Collection<GrantedAuthority> getAuthorities() {
+			if (this.authorities == null) {
+				Set<GrantedAuthority> authorities = new LinkedHashSet<>();
+				authorities.add(new OidcUserAuthority(getOidcIdToken(), getOidcUserInfo()));
+				for (String authority : this.accessToken.getScopes()) {
+					authorities.add(new SimpleGrantedAuthority("SCOPE_" + authority));
+				}
+				return authorities;
+			} else {
+				return this.authorities;
+			}
+		}
+
+		private OidcIdToken getOidcIdToken() {
+			if (this.idToken == null) {
+				return new OidcIdToken("id-token", null, null, Collections.singletonMap(IdTokenClaimNames.SUB, "test-subject"));
+			} else {
+				return this.idToken;
+			}
+		}
+
+		private OidcUserInfo getOidcUserInfo() {
+			return this.userInfo;
+		}
+
+		private OidcUser getOidcUser() {
+			if (this.oidcUser == null) {
+				return new DefaultOidcUser(getAuthorities(), getOidcIdToken(), this.userInfo);
+			} else {
+				return this.oidcUser;
+			}
+		}
+	}
+
 	private SecurityMockMvcRequestPostProcessors() {
 	}
 }

test/src/test/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessorsOidcLoginTests.java

@@ -0,0 +1,195 @@
+/*
+ * Copyright 2002-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.test.web.servlet.request;
+
+import java.util.Collection;
+import java.util.List;
+import java.util.stream.Collectors;
+
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Bean;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.annotation.AuthenticationPrincipal;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
+import org.springframework.security.oauth2.client.annotation.RegisteredOAuth2AuthorizedClient;
+import org.springframework.security.oauth2.client.registration.ClientRegistration;
+import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
+import org.springframework.security.oauth2.client.web.HttpSessionOAuth2AuthorizedClientRepository;
+import org.springframework.security.oauth2.client.web.OAuth2AuthorizedClientRepository;
+import org.springframework.security.oauth2.core.AuthorizationGrantType;
+import org.springframework.security.oauth2.core.oidc.user.OidcUser;
+import org.springframework.security.test.context.TestSecurityContextHolder;
+import org.springframework.test.context.ContextConfiguration;
+import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
+import org.springframework.test.context.web.WebAppConfiguration;
+import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.test.web.servlet.setup.MockMvcBuilders;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.RestController;
+import org.springframework.web.context.WebApplicationContext;
+import org.springframework.web.servlet.config.annotation.EnableWebMvc;
+
+import static org.mockito.ArgumentMatchers.anyString;
+import static org.mockito.Mockito.mock;
+import static org.powermock.api.mockito.PowerMockito.when;
+import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.oidcLogin;
+import static org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers.springSecurity;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
+/**
+ * Tests for {@link SecurityMockMvcRequestPostProcessors#oidcLogin()}
+ *
+ * @author Josh Cummings
+ * @since 5.3
+ */
+@RunWith(SpringJUnit4ClassRunner.class)
+@ContextConfiguration
+@WebAppConfiguration
+public class SecurityMockMvcRequestPostProcessorsOidcLoginTests {
+	@Autowired
+	WebApplicationContext context;
+
+	MockMvc mvc;
+
+	@Before
+	public void setup() {
+		// @formatter:off
+		this.mvc = MockMvcBuilders
+			.webAppContextSetup(this.context)
+			.apply(springSecurity())
+			.build();
+		// @formatter:on
+	}
+
+	@After
+	public void cleanup() {
+		TestSecurityContextHolder.clearContext();
+	}
+
+	@Test
+	public void oidcLoginWhenUsingDefaultsThenProducesDefaultAuthentication()
+		throws Exception {
+
+		this.mvc.perform(get("/name").with(oidcLogin()))
+				.andExpect(content().string("test-subject"));
+		this.mvc.perform(get("/admin/id-token/name").with(oidcLogin()))
+				.andExpect(status().isForbidden());
+	}
+
+	@Test
+	public void oidcLoginWhenUsingDefaultsThenProducesDefaultAuthorizedClient()
+			throws Exception {
+
+		ClientRegistration clientRegistration = ClientRegistration.withRegistrationId("test")
+				.authorizationGrantType(AuthorizationGrantType.PASSWORD)
+				.clientId("test-client")
+				.tokenUri("https://token-uri.example.org")
+				.build();
+		ClientRegistrationRepository repository = this.context.getBean(ClientRegistrationRepository.class);
+		when(repository.findByRegistrationId(anyString())).thenReturn(clientRegistration);
+
+		this.mvc.perform(get("/access-token").with(oidcLogin().clientRegistration(clientRegistration)))
+				.andExpect(content().string("access-token"));
+	}
+
+	@Test
+	public void oidcLoginWhenAuthoritiesSpecifiedThenGrantsAccess() throws Exception {
+		this.mvc.perform(get("/admin/scopes")
+				.with(oidcLogin().authorities(new SimpleGrantedAuthority("SCOPE_admin"))))
+				.andExpect(content().string("[\"SCOPE_admin\"]"));
+	}
+
+	@Test
+	public void oidcLoginWhenIdTokenSpecifiedThenUserHasClaims() throws Exception {
+		this.mvc.perform(get("/id-token/iss")
+				.with(oidcLogin().idToken(i -> i.issuer("https://idp.example.org"))))
+				.andExpect(content().string("https://idp.example.org"));
+	}
+
+	@Test
+	public void oidcLoginWhenUserInfoSpecifiedThenUserHasClaims() throws Exception {
+		this.mvc.perform(get("/user-info/email")
+				.with(oidcLogin().userInfoToken(u -> u.email("email@email"))))
+				.andExpect(content().string("email@email"));
+	}
+
+	@EnableWebSecurity
+	@EnableWebMvc
+	static class OAuth2LoginConfig extends WebSecurityConfigurerAdapter {
+		@Override
+		protected void configure(HttpSecurity http) throws Exception {
+			http
+				.authorizeRequests()
+					.mvcMatchers("/admin/**").hasAuthority("SCOPE_admin")
+					.anyRequest().hasAuthority("SCOPE_user")
+					.and()
+				.oauth2Login();
+		}
+
+		@Bean
+		ClientRegistrationRepository clientRegistrationRepository() {
+			return mock(ClientRegistrationRepository.class);
+		}
+
+
+		@Bean
+		OAuth2AuthorizedClientRepository oAuth2AuthorizedClientRepository() {
+			return new HttpSessionOAuth2AuthorizedClientRepository();
+		}
+
+		@RestController
+		static class PrincipalController {
+			@GetMapping("/name")
+			String name(@AuthenticationPrincipal OidcUser oidcUser) {
+				return oidcUser.getName();
+			}
+
+			@GetMapping("/access-token")
+			String authorizedClient(@RegisteredOAuth2AuthorizedClient OAuth2AuthorizedClient authorizedClient) {
+				return authorizedClient.getAccessToken().getTokenValue();
+			}
+
+			@GetMapping("/id-token/{claim}")
+			String idTokenClaim(@AuthenticationPrincipal OidcUser oidcUser, @PathVariable("claim") String claim) {
+				return oidcUser.getIdToken().getClaim(claim);
+			}
+
+			@GetMapping("/user-info/{claim}")
+			String userInfoClaim(@AuthenticationPrincipal OidcUser oidcUser, @PathVariable("claim") String claim) {
+				return oidcUser.getUserInfo().getClaim(claim);
+			}
+
+			@GetMapping("/admin/scopes")
+			List<String> scopes(@AuthenticationPrincipal(expression = "authorities")
+										Collection<GrantedAuthority> authorities) {
+				return authorities.stream().map(GrantedAuthority::getAuthority)
+						.collect(Collectors.toList());
+			}
+		}
+	}
+}