From d878dbf30ef39ec3812d481792681120f213d065 Mon Sep 17 00:00:00 2001 From: Joe Grandja Date: Tue, 8 Jan 2019 17:45:09 -0500 Subject: [PATCH] Polish gh-6349 --- .../oidc/authentication/OidcIdTokenValidator.java | 15 ++++++++------- .../authentication/OidcIdTokenValidatorTests.java | 12 ------------ 2 files changed, 8 insertions(+), 19 deletions(-) diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/authentication/OidcIdTokenValidator.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/authentication/OidcIdTokenValidator.java index a3fdf95f8b..ac985655b6 100644 --- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/authentication/OidcIdTokenValidator.java +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/authentication/OidcIdTokenValidator.java @@ -55,10 +55,10 @@ public final class OidcIdTokenValidator implements OAuth2TokenValidator { public OAuth2TokenValidatorResult validate(Jwt idToken) { // 3.1.3.7 ID Token Validation // http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation - Map invalidClaims = validateRequiredClaims(idToken); - if (!invalidClaims.isEmpty()){ - return OAuth2TokenValidatorResult.failure(invalidIdToken(invalidClaims)); + Map invalidClaims = validateRequiredClaims(idToken); + if (!invalidClaims.isEmpty()) { + return OAuth2TokenValidatorResult.failure(invalidIdToken(invalidClaims)); } // 2. The Issuer Identifier for the OpenID Provider (which is typically obtained during Discovery) @@ -121,13 +121,14 @@ public final class OidcIdTokenValidator implements OAuth2TokenValidator { private static OAuth2Error invalidIdToken(Map invalidClaims) { String claimsDetail = invalidClaims.entrySet().stream() - .map(it -> it.getKey()+ "("+it.getValue()+")") + .map(it -> it.getKey() + " (" + it.getValue() + ")") .collect(Collectors.joining(", ")); - - return new OAuth2Error("invalid_id_token", "The ID Token contains invalid claims: "+claimsDetail, null); + return new OAuth2Error("invalid_id_token", + "The ID Token contains invalid claims: " + claimsDetail, + "https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation"); } - private static Map validateRequiredClaims(Jwt idToken){ + private static Map validateRequiredClaims(Jwt idToken) { Map requiredClaims = new HashMap<>(); URL issuer = idToken.getIssuer(); diff --git a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/oidc/authentication/OidcIdTokenValidatorTests.java b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/oidc/authentication/OidcIdTokenValidatorTests.java index 4522db84ef..709ce88def 100644 --- a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/oidc/authentication/OidcIdTokenValidatorTests.java +++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/oidc/authentication/OidcIdTokenValidatorTests.java @@ -66,7 +66,6 @@ public class OidcIdTokenValidatorTests { .hasSize(1) .extracting(OAuth2Error::getDescription) .allMatch(msg -> msg.contains(IdTokenClaimNames.ISS)); - } @Test @@ -194,17 +193,6 @@ public class OidcIdTokenValidatorTests { .allMatch(msg -> msg.contains(IdTokenClaimNames.EXP)); } - @Test(expected = IllegalArgumentException.class) - public void validateIdTokenWhenNoClaimsThenHasErrors() { - this.claims.remove(IdTokenClaimNames.ISS); - this.claims.remove(IdTokenClaimNames.SUB); - this.claims.remove(IdTokenClaimNames.AUD); - this.issuedAt = null; - this.expiresAt = null; - assertThat(this.validateIdToken()) - .hasSize(1); - } - private Collection validateIdToken() { Jwt idToken = new Jwt("token123", this.issuedAt, this.expiresAt, this.headers, this.claims); OidcIdTokenValidator validator = new OidcIdTokenValidator(this.registration.build());