Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-03-01 10:59:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

Polish gh-6349

Browse Source
This commit is contained in:
Joe Grandja 2019-01-08 17:45:09 -05:00
parent 057ed616c4
commit d878dbf30e
2 changed files with 8 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/authentication/OidcIdTokenValidator.java
View File

@ -55,10 +55,10 @@ public final class OidcIdTokenValidator implements OAuth2TokenValidator<Jwt> {
public OAuth2TokenValidatorResult validate(Jwt idToken) { public OAuth2TokenValidatorResult validate(Jwt idToken) {
// 3.1.3.7 ID Token Validation // 3.1.3.7 ID Token Validation
// http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation // http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
Map<String, Object> invalidClaims = validateRequiredClaims(idToken);
if (!invalidClaims.isEmpty()){ Map<String, Object> invalidClaims = validateRequiredClaims(idToken);
return OAuth2TokenValidatorResult.failure(invalidIdToken(invalidClaims)); if (!invalidClaims.isEmpty()) {
return OAuth2TokenValidatorResult.failure(invalidIdToken(invalidClaims));
} }
// 2. The Issuer Identifier for the OpenID Provider (which is typically obtained during Discovery) // 2. The Issuer Identifier for the OpenID Provider (which is typically obtained during Discovery)
@ -121,13 +121,14 @@ public final class OidcIdTokenValidator implements OAuth2TokenValidator<Jwt> {
private static OAuth2Error invalidIdToken(Map<String, Object> invalidClaims) { private static OAuth2Error invalidIdToken(Map<String, Object> invalidClaims) {
String claimsDetail = invalidClaims.entrySet().stream() String claimsDetail = invalidClaims.entrySet().stream()
.map(it -> it.getKey()+ "("+it.getValue()+")") .map(it -> it.getKey() + " (" + it.getValue() + ")")
.collect(Collectors.joining(", ")); .collect(Collectors.joining(", "));
return new OAuth2Error("invalid_id_token",
return new OAuth2Error("invalid_id_token", "The ID Token contains invalid claims: "+claimsDetail, null); "The ID Token contains invalid claims: " + claimsDetail,
"https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation");
} }
private static Map<String, Object> validateRequiredClaims(Jwt idToken){ private static Map<String, Object> validateRequiredClaims(Jwt idToken) {
Map<String, Object> requiredClaims = new HashMap<>(); Map<String, Object> requiredClaims = new HashMap<>();
URL issuer = idToken.getIssuer(); URL issuer = idToken.getIssuer();

12
oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/oidc/authentication/OidcIdTokenValidatorTests.java
View File

@ -66,7 +66,6 @@ public class OidcIdTokenValidatorTests {
.hasSize(1) .hasSize(1)
.extracting(OAuth2Error::getDescription) .extracting(OAuth2Error::getDescription)
.allMatch(msg -> msg.contains(IdTokenClaimNames.ISS)); .allMatch(msg -> msg.contains(IdTokenClaimNames.ISS));
} }
@Test @Test
@ -194,17 +193,6 @@ public class OidcIdTokenValidatorTests {
.allMatch(msg -> msg.contains(IdTokenClaimNames.EXP)); .allMatch(msg -> msg.contains(IdTokenClaimNames.EXP));
} }
@Test(expected = IllegalArgumentException.class)
public void validateIdTokenWhenNoClaimsThenHasErrors() {
this.claims.remove(IdTokenClaimNames.ISS);
this.claims.remove(IdTokenClaimNames.SUB);
this.claims.remove(IdTokenClaimNames.AUD);
this.issuedAt = null;
this.expiresAt = null;
assertThat(this.validateIdToken())
.hasSize(1);
}
private Collection<OAuth2Error> validateIdToken() { private Collection<OAuth2Error> validateIdToken() {
Jwt idToken = new Jwt("token123", this.issuedAt, this.expiresAt, this.headers, this.claims); Jwt idToken = new Jwt("token123", this.issuedAt, this.expiresAt, this.headers, this.claims);
OidcIdTokenValidator validator = new OidcIdTokenValidator(this.registration.build()); OidcIdTokenValidator validator = new OidcIdTokenValidator(this.registration.build());