Add Jwt to BearerTokenAuthentication Converter

Fixes gh-7346
This commit is contained in:
Josh Cummings 2019-09-03 07:02:55 -06:00
parent 068f4f0147
commit d7f7e9d4b7
2 changed files with 143 additions and 0 deletions

View File

@ -0,0 +1,58 @@
/*
* Copyright 2002-2019 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.oauth2.server.resource.authentication;
import java.util.Collection;
import java.util.Map;
import org.springframework.core.convert.converter.Converter;
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.oauth2.core.DefaultOAuth2AuthenticatedPrincipal;
import org.springframework.security.oauth2.core.OAuth2AccessToken;
import org.springframework.security.oauth2.core.OAuth2AuthenticatedPrincipal;
import org.springframework.security.oauth2.jwt.Jwt;
/**
* A {@link Converter} that takes a {@link Jwt} and converts it into a {@link BearerTokenAuthentication}.
*
* In the process, it will attempt to parse either the "scope" or "scp" attribute, whichever it finds first.
*
* It's not intended that this implementation be configured since it is simply an adapter. If you are using,
* for example, a custom {@link JwtGrantedAuthoritiesConverter}, then it's recommended that you simply
* create your own {@link Converter} that delegates to your custom {@link JwtGrantedAuthoritiesConverter}
* and instantiates the appropriate {@link BearerTokenAuthentication}.
*
* @author Josh Cummings
* @since 5.2
*/
public final class JwtBearerTokenAuthenticationConverter implements Converter<Jwt, AbstractAuthenticationToken> {
private final JwtAuthenticationConverter jwtAuthenticationConverter = new JwtAuthenticationConverter();
@Override
public AbstractAuthenticationToken convert(Jwt jwt) {
OAuth2AccessToken accessToken = new OAuth2AccessToken(
OAuth2AccessToken.TokenType.BEARER, jwt.getTokenValue(), jwt.getIssuedAt(), jwt.getExpiresAt());
Map<String, Object> attributes = jwt.getClaims();
AbstractAuthenticationToken token = this.jwtAuthenticationConverter.convert(jwt);
Collection<GrantedAuthority> authorities = token.getAuthorities();
OAuth2AuthenticatedPrincipal principal = new DefaultOAuth2AuthenticatedPrincipal(attributes, authorities);
return new BearerTokenAuthentication(principal, accessToken, authorities);
}
}

View File

@ -0,0 +1,85 @@
/*
* Copyright 2002-2019 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.oauth2.server.resource.authentication;
import java.util.Arrays;
import org.junit.Test;
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.oauth2.jwt.Jwt;
import static org.assertj.core.api.Assertions.assertThat;
/**
* Tests for {@link JwtBearerTokenAuthenticationConverter}
*
* @author Josh Cummings
*/
public class JwtBearerTokenAuthenticationConverterTests {
private final JwtBearerTokenAuthenticationConverter converter =
new JwtBearerTokenAuthenticationConverter();
@Test
public void convertWhenJwtThenBearerTokenAuthentication() {
Jwt jwt = Jwt.withTokenValue("token-value")
.claim("claim", "value")
.header("header", "value")
.build();
AbstractAuthenticationToken token = this.converter.convert(jwt);
assertThat(token).isInstanceOf(BearerTokenAuthentication.class);
BearerTokenAuthentication bearerToken = (BearerTokenAuthentication) token;
assertThat(bearerToken.getToken().getTokenValue()).isEqualTo("token-value");
assertThat(bearerToken.getTokenAttributes()).containsOnlyKeys("claim");
assertThat(bearerToken.getAuthorities()).isEmpty();
}
@Test
public void convertWhenJwtWithScopeAttributeThenBearerTokenAuthentication() {
Jwt jwt = Jwt.withTokenValue("token-value")
.claim("scope", "message:read message:write")
.header("header", "value")
.build();
AbstractAuthenticationToken token = this.converter.convert(jwt);
assertThat(token).isInstanceOf(BearerTokenAuthentication.class);
BearerTokenAuthentication bearerToken = (BearerTokenAuthentication) token;
assertThat(bearerToken.getAuthorities())
.containsExactly(new SimpleGrantedAuthority("SCOPE_message:read"),
new SimpleGrantedAuthority("SCOPE_message:write"));
}
@Test
public void convertWhenJwtWithScpAttributeThenBearerTokenAuthentication() {
Jwt jwt = Jwt.withTokenValue("token-value")
.claim("scp", Arrays.asList("message:read", "message:write"))
.header("header", "value")
.build();
AbstractAuthenticationToken token = this.converter.convert(jwt);
assertThat(token).isInstanceOf(BearerTokenAuthentication.class);
BearerTokenAuthentication bearerToken = (BearerTokenAuthentication) token;
assertThat(bearerToken.getAuthorities())
.containsExactly(new SimpleGrantedAuthority("SCOPE_message:read"),
new SimpleGrantedAuthority("SCOPE_message:write"));
}
}