Request user info when AS returns no scopes

Closes gh-12144
This commit is contained in:
Steve Riesenberg 2022-11-08 12:24:25 -06:00
parent 8cde8fb363
commit fde26e003a
No known key found for this signature in database
GPG Key ID: 5F311AB48A55D521
3 changed files with 34 additions and 3 deletions

View File

@ -173,8 +173,14 @@ public class OidcUserService implements OAuth2UserService<OidcUserRequest, OidcU
.equals(userRequest.getClientRegistration().getAuthorizationGrantType())) {
// Return true if there is at least one match between the authorized scope(s)
// and accessible scope(s)
//
// Also return true if authorized scope(s) is empty, because the provider has
// not indicated which scopes are accessible via the access token
// @formatter:off
return this.accessibleScopes.isEmpty()
|| CollectionUtils.isEmpty(userRequest.getAccessToken().getScopes())
|| CollectionUtils.containsAny(userRequest.getAccessToken().getScopes(), this.accessibleScopes);
// @formatter:on
}
return false;
}

View File

@ -458,14 +458,36 @@ public class OidcUserServiceTests {
@Test
public void loadUserWhenTokenDoesNotContainScopesThenNoScopeAuthorities() {
OidcUserService userService = new OidcUserService();
OidcUserRequest request = new OidcUserRequest(TestClientRegistrations.clientRegistration().build(),
TestOAuth2AccessTokens.noScopes(), TestOidcIdTokens.idToken().build());
OidcUserRequest request = new OidcUserRequest(this.clientRegistrationBuilder.build(),
TestOAuth2AccessTokens.noScopes(), this.idToken);
OidcUser user = userService.loadUser(request);
assertThat(user.getAuthorities()).hasSize(1);
Iterator<? extends GrantedAuthority> authorities = user.getAuthorities().iterator();
assertThat(authorities.next()).isInstanceOf(OidcUserAuthority.class);
}
@Test
public void loadUserWhenTokenDoesNotContainScopesAndUserInfoUriThenUserInfoRequested() {
// @formatter:off
String userInfoResponse = "{\n"
+ " \"sub\": \"subject1\",\n"
+ " \"name\": \"first last\",\n"
+ " \"given_name\": \"first\",\n"
+ " \"family_name\": \"last\",\n"
+ " \"preferred_username\": \"user1\",\n"
+ " \"email\": \"user1@example.com\"\n"
+ "}\n";
// @formatter:on
this.server.enqueue(jsonResponse(userInfoResponse));
String userInfoUri = this.server.url("/user").toString();
ClientRegistration clientRegistration = this.clientRegistrationBuilder.userInfoUri(userInfoUri).build();
OidcUserService userService = new OidcUserService();
OidcUserRequest request = new OidcUserRequest(clientRegistration, TestOAuth2AccessTokens.noScopes(),
this.idToken);
OidcUser user = userService.loadUser(request);
assertThat(user.getUserInfo()).isNotNull();
}
private MockResponse jsonResponse(String json) {
// @formatter:off
return new MockResponse()

View File

@ -16,10 +16,12 @@
package org.springframework.security.oauth2.core.endpoint;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import org.springframework.security.oauth2.core.OAuth2AccessToken;
import org.springframework.security.oauth2.core.oidc.OidcScopes;
import org.springframework.security.oauth2.core.oidc.endpoint.OidcParameterNames;
/**
@ -42,7 +44,8 @@ public final class TestOAuth2AccessTokenResponses {
public static OAuth2AccessTokenResponse.Builder oidcAccessTokenResponse() {
Map<String, Object> additionalParameters = new HashMap<>();
additionalParameters.put(OidcParameterNames.ID_TOKEN, "id-token");
return accessTokenResponse().additionalParameters(additionalParameters);
return accessTokenResponse().scopes(Collections.singleton(OidcScopes.OPENID))
.additionalParameters(additionalParameters);
}
}