Commit Graph

1280 Commits

Author SHA1 Message Date
Steve Riesenberg ea352e1c59 Add missing @since 5.6 2021-11-09 14:02:35 -06:00
Marcus Da Coregio db60df2f9c Update to Spring Framework 6.0
Issue gh-10360
2021-11-01 09:02:42 -03:00
Marcus Da Coregio 010f719344 Upgrade to JDK 17
Closes gh-10343
2021-11-01 09:02:42 -03:00
Marcus Da Coregio 560962649e Remove BlockHound dependency
The dependency is not needed anymore and there is a issue when using OpenJDK 13 or higher https://github.com/reactor/BlockHound/issues/33

Issue gh-10343
2021-11-01 09:02:42 -03:00
Rob Winch e4a76b0ec9 Checkstyle Fixes
- Javadoc tag ordering
- Private constructors before inner classes

Issue gh-10394
2021-10-22 10:19:34 -05:00
Rob Winch f836897190 Checkstyle Fixes
- Javadoc tag ordering
- Private constructors before inner classes

Issue gh-10394
2021-10-18 21:03:35 -05:00
Rob Winch 0c088e278a Update r2dbc-spi-test to 0.8.6.RELEASE
Closes gh-10393
2021-10-18 21:03:12 -05:00
Steve Riesenberg 0704c709dc Revert "Lock Dependencies for Release"
This reverts commit 03c2c49d66.
2021-10-18 17:38:07 -05:00
Steve Riesenberg 03c2c49d66 Lock Dependencies for Release 2021-10-18 17:34:42 -05:00
Steve Riesenberg c83bd075a2 Revert "Lock Dependencies for Release"
This reverts commit bedb569f0d.
2021-10-18 16:49:15 -05:00
Steve Riesenberg bedb569f0d Lock Dependencies for Release 2021-10-18 15:38:17 -05:00
Steve Riesenberg b2db2bdb2a Update r2dbc-spi-test to 0.8.6.RELEASE
Closes gh-10410
2021-10-18 14:20:00 -05:00
Joe Grandja 5c8cd23a2d Revert "Lock dependencies"
This reverts commit fc53f81d2e.
2021-10-18 10:48:23 -04:00
Dávid Kováč 64e9ac995a getClaimAsBoolean() should not be falsy
Closes gh-10148
2021-10-14 11:28:09 -05:00
Eleftheria Stein fc53f81d2e Lock dependencies 2021-10-14 15:44:09 +02:00
Philipp Neuschwander 6db58cbf8a Conditionally resolve bearer token from request parameters
Before this commit, the DefaultBearerTokenResolver unconditionally
resolved the request parameters to check whether multiple tokens
are present in the request and reject those requests as invalid.

This commit changes this behaviour to resolve the request parameters
only if parameter token is supported for the specific request
according to spec (RFC 6750).

Closes gh-10326
2021-10-13 17:10:50 -05:00
Dávid Kováč eb0597154d Update JavaDoc according to implementation
Update ClaimAccessor#getClaimAsMap and ClaimAccessor#getClaimAsStringList
JavaDoc according to the current implementation

Closes gh-10117
2021-10-13 13:13:44 -06:00
Dávid Kováč 0299808b05 Add ClaimAccessor tests
Add tests for ClaimAccessor#getClaimAsMap and ClaimAccessor#getClaimAsStringList

Issue gh-10117
2021-10-13 12:53:40 -06:00
Dávid Kováč 125d33e3cf Update JavaDoc according to implementation
Update ClaimAccessor#getClaimAsMap and ClaimAccessor#getClaimAsStringList
JavaDoc according to the current implementation

Closes gh-10117
2021-10-13 12:53:40 -06:00
Joe Grandja e3abaf7999 Add OAuth2ErrorCodes.INVALID_REDIRECT_URI
Closes gh-10370
2021-10-13 14:12:44 -04:00
Steve Riesenberg 3b564b2026 Add parameters converter support to AbstractWebClientReactiveOAuth2AccessTokenResponseClient
This adds support for configuring NimbusJwtClientAuthenticationParametersConverter to any AbstractWebClientReactiveOAuth2AccessTokenResponseClient as an additional parameters converter, which in turns adds reactive support for jwt client authentication.

Closes gh-10146
2021-10-06 13:09:33 -05:00
Steve Riesenberg 9b24f66f1c Implement reactive support for JWT as an Authorization Grant
Closes gh-10147
2021-10-05 16:09:24 -05:00
Marcus Da Coregio 02b2fcc6f0 Restore ManagementConfigurationPlugin
Issue gh-9615
2021-10-05 11:23:29 -03:00
Marcus Da Coregio d2e5f2ae0d Update Gradle to 7.2
Closes gh-9615
2021-10-04 15:19:40 -03:00
Josh Cummings dc95d8d705 Fix OAuth2 Error Code
Closes gh-10319
2021-09-28 15:23:53 -06:00
Josh Cummings 4df9b4547f Fix OAuth2 Error Code
Closes gh-10319
2021-09-28 14:56:25 -06:00
Josh Cummings 1f919bc791 Fix OAuth2 Error Code
Closes gh-10319
2021-09-28 14:55:37 -06:00
Josh Cummings 0f8fa36b93 Fix OAuth2 Error Code
Closes gh-10319
2021-09-28 13:24:51 -06:00
Darren Forsythe 5556b821e3 Check for multiple access tokens per rfc 6750
Check for multiple access tokens on the ServerHttpRequest rather than get get first. If multiples are found throw a OAuth2AuthenticationException.

Closes gh-5708
2021-09-28 08:07:06 -06:00
Joe Grandja 97c949d929 oauth2Login() AuthenticationProvider's preserve root cause exception when rethrown
Closes gh-10228
2021-09-24 10:41:31 -04:00
Joe Grandja 5830fda2fa Introduce JwtEncoder
Closes gh-9208
2021-09-24 05:13:40 -04:00
bishoy basily 860690491a Add setBodyExtractor
Closes gh-10260
2021-09-22 15:32:19 -06:00
Josh Cummings 7b599d4770 Share JWKSource Instances
Closes gh-10312
2021-09-22 13:28:08 -06:00
Josh Cummings 4e7c9bee46 Add Supplier JwtDecoders
Closes gh-9991
2021-09-22 10:58:55 -06:00
Rob Winch 62db842865 Update com.nimbusds to 9.15
Closes gh-10287
2021-09-17 16:40:58 -05:00
Ashley Scopes 171522ebf2 Replace usages of deprecated OAuth2IntrospectionClaimNames
Replace all usages of OAuth2IntrospectionClaimNames with
the suggested OAuth2TokenIntrospectionClaimNames.

There does not appear to be any further usages of OAuth2IntrospectionClaimNames,
so it should be suitable for removal when appropriate in accordance with the
deprecation policy.
2021-09-15 15:05:08 -06:00
Ashley Scopes 7ccc915b2b Ensuring consistency in error handling of opaque providers/managers
The OpaqueTokenAuthenticationProvider now propagates the cause of
introspection exceptions in the same way that the reactive
OpaqueTokenReactiveAuthenticationManager does.

Fixed a final field warning on both OpaqueTokenAuthenticationProvider
and OpaqueTokenReactiveAuthenticationManager.
2021-09-15 15:05:08 -06:00
Ashley Scopes e9d5bbba34 Fixed final field warnings in opaque token introspectors 2021-09-15 15:05:08 -06:00
Ashley Scopes 95c2403968 Fixed potential NullPointerException in opaque token introspection
It appears Nimbus does not check the presence of the Content-Type
header before parsing it in some versions, and since prior to this
commit, the code is .toString()-ing the result, a malformed response
(such as that from a misbehaving cloud gateway) that does not include
a Content-Type would currently throw a NullPointerException.

In addition to this, I have added a little more information to the
log output for this module on the standard and reactive implementations
to aid in debugging authorization/authentication issues much more
easily.
2021-09-15 15:05:08 -06:00
Ashley Scopes dd43d9198b Amended treatment of OAuth2 'iss' claim
Prior to this commit, the OAuth2 resource server code is failing any issuer
that is not a valid URL. This does not correspond to
https://datatracker.ietf.org/doc/html/rfc7662#page-7 which redirects to
https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.1, defining an
issuer as being a "StringOrURI", which is defined at
https://datatracker.ietf.org/doc/html/rfc7519#page-5 as being
an "arbitrary string value" that "MUST be a URI" only for
"any value containing a ':'".

The issue currently is that an issuer that is not a valid URL may be
provided, which will automatically result in the request being aborted
due to being invalid.

I have removed the check entirely, since while the claim could be invalid,
it is still a response that the OAuth2 introspection endpoint has provided.
In the liklihood that interpretations of this behaviour are different for
the OAuth2 server implementation in use, this currently stops Spring
Security from being able to be used at all without implementing a custom
introspector from scratch.

It is also worth noting that the spec does not specify whether it is
valid to normalize issuers or not if they are valid URLs. This may cause
other unintended side effects as a result of this change, so it is
safer to disable it entirely.
2021-09-15 15:05:08 -06:00
Ayush Kohli f1691370d6 Closes gh-10222 2021-09-03 10:58:01 -06:00
/usr/local/ΕΨΗΕΛΩΝ 4302a86fad
Default principalClaimName to SUB
Closes gh-10214
2021-08-20 15:02:22 -06:00
Rujun Chen 9b4ddd7e0a Make AuthorizationGrantTypeConverter support custom grant type
Closes gh-10155
2021-08-19 13:13:20 -04:00
Fabio Guenci 8c1201ae49
Preserve Null Claim Values
Prior to this commit ClaimTypeConverter returned the claims with the
original value for all the claims with a null converted value.
The changes allows ClaimTypeConverter to overwrite and return claims
with converted value of null.

Closes gh-10135
2021-08-16 15:07:23 -06:00
Joe Grandja ec6b2203ca Revert "Lock Dependencies for Release"
This reverts commit 067bdd0dd9.
2021-08-16 11:55:39 -04:00
Joe Grandja 067bdd0dd9 Lock Dependencies for Release 2021-08-16 11:12:40 -04:00
Fabio Guenci 9925c6a4c0
Preserve Null Claim Values
Prior to this commit ClaimTypeConverter returned the claims with the
original value for all the claims with a null converted value.
The changes allows ClaimTypeConverter to overwrite and return claims
with converted value of null.

Closes gh-10135
2021-08-16 08:44:27 -06:00
Fabio Guenci f33598946f
Preserve Null Claim Values
Prior to this commit ClaimTypeConverter returned the claims with the
original value for all the claims with a null converted value.
The changes allows ClaimTypeConverter to overwrite and return claims
with converted value of null.

Closes gh-10135
2021-08-16 08:40:39 -06:00
Fabio Guenci b067aa4653
Preserve Null Claim Values
Prior to this commit ClaimTypeConverter returned the claims with the
original value for all the claims with a null converted value.
The changes allows ClaimTypeConverter to overwrite and return claims
with converted value of null.

Closes gh-10135
2021-08-16 08:22:31 -06:00
Marcus Da Coregio c706a103f9 Revert "Lock Dependencies"
This reverts commit 1533f098d2.
2021-08-16 10:35:39 -03:00
Marcus Da Coregio 1533f098d2 Lock Dependencies 2021-08-16 09:42:34 -03:00
Josh Cummings cdc902d04d
Update SpringOpaqueTokenIntrospector
Issue gh-9647
2021-08-12 16:52:02 -06:00
Dávid Kováč 3ff825576b Move and rename OAuth2IntrospectionClaimAccessor/Names
Introduced OAuth2TokenIntrospectionClaimAccessor and OAuth2TokenIntrospectionClaimNames
with copied implementation from OAuth2IntrospectionClaimAccessor/Names.
OAuth2IntrospectionClaimAccessor and OAuth2IntrospectionClaimNames are
now deprecated.

Also method getScopes() returning list of scopes was introduced
and getScope() is now deprecated.

Closes gh-9647
2021-08-12 16:51:33 -06:00
Josh Cummings b83a4c2985
Polish Preserve Null Claim Values
Preserves the original behavior of ClaimTypeConverter so that its
converters can maintain their default behavior of null meaning that
conversion failed.

Issue gh-10135
2021-08-12 10:22:44 -06:00
Fabio Guenci 30a1c1af7c
Preserve Null Claim Values
Prior to this commit ClaimTypeConverter returned the claims with the
original value for all the claims with a null converted value.
The changes allows ClaimTypeConverter to overwrite and return claims
with converted value of null.

Closes gh-10135
2021-08-12 10:09:34 -06:00
Steve Riesenberg 6d6dc113d8 Add converter for authentication result in OAuth2LoginAuthenticationFilter
Closes gh-10033
2021-08-10 16:50:19 -05:00
Steve Riesenberg fc553bf19a Add gh-10130 to tests 2021-08-09 15:33:54 -05:00
Steve Riesenberg acca3dba69 Polish gh-10131 2021-08-09 11:07:12 -05:00
Vincent Boulaye 044157061f Enable customizing headers in token requests
Adds the possibility to customize the headers of the access token request in AbstractWebClientReactiveOAuth2AccessTokenResponseClient, similarly to what is done in the AbstractOAuth2AuthorizationGrantRequestEntityConverter.

Closes gh-10130
2021-08-09 10:50:37 -05:00
Josh Cummings 6370906ead
Add SpringOpaqueTokenIntrospector
Closes gh-9354
2021-07-26 10:50:50 -06:00
Steve Riesenberg e1b6a7ba29 Revert "URL encode client credentials"
This reverts commit c0200512a7.

Issue gh-9610 gh-9863
Closes gh-10018
2021-07-20 14:06:46 -05:00
Steve Riesenberg f55247e28a Revert "URL encode client credentials"
This reverts commit 6cafa48369.

Issue gh-9610 gh-9862
Closes gh-10018
2021-07-20 14:05:55 -05:00
Steve Riesenberg dc81e1c86b Revert "URL encode client credentials"
This reverts commit 5243b1b8a8.

Issue gh-9610 gh-9861
Closes gh-10018
2021-07-20 13:29:29 -05:00
Steve Riesenberg dfebd6d9d4 Revert "URL encode client credentials"
This reverts commit e6c268add0.

Issue gh-9610 gh-9858
Closes gh-10018
Closes gh-10121
2021-07-20 12:59:44 -05:00
Steve Riesenberg f5266c7511 Remove wildcard from generics in converter
Polish gh-9779
2021-07-12 23:42:47 -05:00
Rob Winch f73f213f50 Remove DependencySetPlugin
Closes gh-10070
2021-07-12 15:31:38 -05:00
Rob Winch 98bd772b67 format 2021-07-09 14:49:47 -05:00
Rob Winch b6ff4d3674 Fix mockito UnnecessaryStubbingException 2021-07-09 14:35:10 -05:00
Rob Winch 3e93b024d6 openrewrite Junit Migration 2021-07-09 14:32:52 -05:00
Rob Winch 14240b2559 Remove Powermock
Powermock does not support JUnit5 yet, so we need to remove it
to support JUnit 5. Additionally, maintaining additional libraries
adds extra work for the team.

Mockito now supports final classes and static method mocking. This
commit replaces Powermock with mockito-inline.

Closes gh-6025
2021-07-08 12:35:32 -05:00
Marcus Da Coregio b0d22d1a03 Revert "Lock Dependencies"
This reverts commit eb300c78bd.
2021-06-22 10:20:07 -03:00
Steve Riesenberg c17767883f Revert "Lock Dependencies for Release"
This reverts commit d71be4ca28.
2021-06-21 12:57:05 -05:00
Josh Cummings d71be4ca28
Lock Dependencies for Release 2021-06-21 10:33:10 -06:00
Marcus Da Coregio eb300c78bd Lock Dependencies 2021-06-21 09:23:19 -03:00
Arnaud Mergey 1cd4ffeeb7
fix typo preventing full exception to be displayed in log
closes gh-9901
2021-06-17 08:40:55 -06:00
Arnaud Mergey 5fd81eeaf1
fix typo preventing full exception to be displayed in log
closes gh-9901
2021-06-17 08:38:24 -06:00
Josh Cummings d4c3cea0e6
Update Copyright
Issue gh-9901
2021-06-17 08:34:31 -06:00
Arnaud Mergey 1d606ccedb fix typo preventing full exception to be displayed in log
closes gh-9901
2021-06-17 08:33:32 -06:00
Steve Riesenberg a332e2a728
Support additional client authentication methods
Closes gh-9780
2021-06-16 16:03:13 -05:00
Steve Riesenberg 9daf058a6e
Handle missing authorization endpoint uri
Closes gh-9795
2021-06-16 16:00:53 -05:00
Steve Riesenberg 839cc5e851
Remove validation for unsupported grant types
Closes gh-9828
2021-06-16 15:55:45 -05:00
Steve Riesenberg 807ce30948 Support additional client authentication methods
Closes gh-9780
2021-06-16 15:48:03 -05:00
Steve Riesenberg 0cba0874f3 Handle missing authorization endpoint uri
Closes gh-9795
2021-06-16 15:38:53 -05:00
Steve Riesenberg 9b05afdee8 Remove validation for unsupported grant types
Closes gh-9828
2021-06-16 14:54:33 -05:00
Joe Grandja 6fbd038111 Jwt client authentication converter detects new key
Closes gh-9814
2021-06-16 12:58:01 -04:00
Joe Grandja eb6ed283e0 Jwt client authentication converter detects new key
Closes gh-9814
2021-06-16 12:55:12 -04:00
Steve Riesenberg 67a18f564a Store one request by default in WebSessionOAuth2ServerAuthorizationRequestRepository
Related to gh-9649
Closes gh-9857
2021-06-15 12:14:37 -05:00
Steve Riesenberg b6ae11295f Commit missing compile fix from cherry-pick conflict 2021-06-15 12:10:06 -05:00
Steve Riesenberg ee9c8e2fd0 Store one request by default in WebSessionOAuth2ServerAuthorizationRequestRepository
Related to gh-9649
Closes gh-9857
2021-06-15 12:06:22 -05:00
Steve Riesenberg a108868529 Store one request by default in WebSessionOAuth2ServerAuthorizationRequestRepository
Related to gh-9649
Closes gh-9857
Closes gh-9912
2021-06-15 11:44:34 -05:00
Steve Riesenberg 700bda68b7 Store one request by default in WebSessionOAuth2ServerAuthorizationRequestRepository
Related to gh-9649
Closes gh-9857
2021-06-15 11:32:35 -05:00
Steve Riesenberg aed993f3e5
Store one request by default in WebSessionOAuth2ServerAuthorizationRequestRepository
Related to gh-9649
Closes gh-9857
2021-06-15 11:03:30 -05:00
Steve Riesenberg c0200512a7 URL encode client credentials
Closes gh-9610
2021-06-08 08:27:20 -05:00
Eleftheria Stein 36805c7192 Revert "Use strict equality for timestamp comparison in JDBC tests"
This reverts commit 09a0670cb6.

This appears to still be an issue in Windows

Issue gh-8782
2021-06-08 10:13:53 +03:00
Eleftheria Stein 09a0670cb6 Use strict equality for timestamp comparison in JDBC tests
This is possible because of the update to HSQLDB 2.6.0
This reverts commit eb7b27695d.

Closes gh-8782
2021-06-08 09:31:55 +03:00
Eleftheria Stein 204a32aba8 Replace < and > with &lt and &gt in Javadoc
Closes gh-9847
2021-06-04 12:26:07 +03:00
Steve Riesenberg 6cafa48369 URL encode client credentials
Closes gh-9610
2021-06-03 09:39:00 -05:00
Steve Riesenberg 5243b1b8a8 URL encode client credentials
Closes gh-9610
2021-06-03 09:29:25 -05:00
Steve Riesenberg e6c268add0 URL encode client credentials
Closes gh-9610
2021-06-03 09:12:18 -05:00
Steve Riesenberg 10de63ce89 Access Token Response supports any data type
Changed the converter used to convert a map into an OAuth2AccessTokenResponse to
support any object as the value, including json numbers and nested objects. Also
deprecated old classes/setters and added new classes/setters.

Closes gh-9685
2021-06-01 14:38:14 -05:00
Steve Riesenberg ac9b137cad URL encode client credentials
Closes gh-9610
2021-06-01 12:57:06 -05:00
Josh Cummings 6d816fbf85
Polish postLogoutRedirectUri encoding
Issue gh-9511
2021-05-26 14:38:20 -06:00
Hans Hosea Schaefer e52b104636
Encode postLogoutRedirectUri query params
Now encodes already encoded queryparameters in postLogoutRedirectUrl
correctly

Closes gh-9511
2021-05-26 14:36:05 -06:00
Josh Cummings 24c3c52254
Polish postLogoutRedirectUri encoding
Issue gh-9511
2021-05-26 13:58:28 -06:00
Hans Hosea Schaefer 499701e67a
Encode postLogoutRedirectUri query params
Now encodes already encoded queryparameters in postLogoutRedirectUrl
correctly

Closes gh-9511
2021-05-26 13:58:23 -06:00
Josh Cummings f48a006034
Polish postLogoutRedirectUri encoding
Issue gh-9511
2021-05-26 13:51:26 -06:00
Hans Hosea Schaefer b7a0959ede
Encode postLogoutRedirectUri query params
Now encodes already encoded queryparameters in postLogoutRedirectUrl
correctly

Closes gh-9511
2021-05-26 13:51:15 -06:00
Josh Cummings 65ecaa0c28
Polish postLogoutRedirectUri encoding
Issue gh-9511
2021-05-26 12:31:41 -06:00
Hans Hosea Schaefer b671a96073
Encode postLogoutRedirectUri query params
Now encodes already encoded queryparameters in postLogoutRedirectUrl
correctly

Closes gh-9511
2021-05-26 12:10:03 -06:00
Steve Riesenberg d3a3c36ad3 Handle custom status codes in error handler
Fixes an issue where custom status codes in the error response cause an
IllegalArgumentException to be thrown when resolving an HttpStatus.

Closes gh-9741
2021-05-25 16:14:35 -05:00
Steve Riesenberg 22272321f2 Handle custom status codes in error handler
Fixes an issue where custom status codes in the error response cause an
IllegalArgumentException to be thrown when resolving an HttpStatus.

Closes gh-9741
2021-05-25 15:37:37 -05:00
Steve Riesenberg 589eccc547 Handle custom status codes in error handler
Fixes an issue where custom status codes in the error response cause an
IllegalArgumentException to be thrown when resolving an HttpStatus.

Closes gh-9741
2021-05-25 15:08:05 -05:00
Steve Riesenberg de4b3a4310 Handle custom status codes in error handler
Fixes an issue where custom status codes in the error response cause an
IllegalArgumentException to be thrown when resolving an HttpStatus.

Closes gh-9741
2021-05-25 13:41:04 -05:00
Steve Riesenberg 36dcbe24d0 Handle custom status codes in error handler
Fixes an issue where custom status codes in the error response cause an
IllegalArgumentException to be thrown when resolving an HttpStatus.

Closes gh-9741
2021-05-25 13:31:34 -05:00
Rob Winch 372c2b805b Update r2dbc-spi-test to 0.8.5.RELEASE
Closes gh-9752
2021-05-14 13:23:54 -05:00
Josh Cummings 5b24bd1288
Adjust ClientRegistrationsTests
Closes gh-9748
2021-05-14 10:30:46 -06:00
Rob Winch c9a8419e22 Additional HttpSessionOAuth2AuthorizationRequestRepository tests
Issue gh-5145
2021-05-13 20:12:15 -04:00
Craig Andrews ecb4a5749a HttpSessionOAuth2AuthorizationRequestRepository: store one request by default
Add setAllowMultipleAuthorizationRequests allowing applications to
revert to the previous functionality should they need to do so.

Closes gh-5145
Intentionally regresses gh-5110
2021-05-13 20:12:00 -04:00
Rob Winch a4216d0ea5 Additional HttpSessionOAuth2AuthorizationRequestRepository tests
Issue gh-5145
2021-05-13 19:52:00 -04:00
Craig Andrews b8eee2002f HttpSessionOAuth2AuthorizationRequestRepository: store one request by default
Add setAllowMultipleAuthorizationRequests allowing applications to
revert to the previous functionality should they need to do so.

Closes gh-5145
Intentionally regresses gh-5110
2021-05-13 19:50:47 -04:00
Rob Winch f3436f25fb Additional HttpSessionOAuth2AuthorizationRequestRepository tests
Issue gh-5145
2021-05-13 14:01:04 -04:00
Craig Andrews e447a35cf2 HttpSessionOAuth2AuthorizationRequestRepository: store one request by default
Add setAllowMultipleAuthorizationRequests allowing applications to
revert to the previous functionality should they need to do so.

Closes gh-5145
Intentionally regresses gh-5110
2021-05-13 14:00:53 -04:00
Asian Malaysian Vietnamese 5f6de026a8 Update javadoc AuthorizationCodeOAuth2AuthorizedClientProvider
Closes gh-9708
2021-05-13 13:02:08 -04:00
Rob Winch 64b7af473d Additional HttpSessionOAuth2AuthorizationRequestRepository tests
Issue gh-5145
2021-05-12 14:59:25 -05:00
Craig Andrews 35f5ebdbcf HttpSessionOAuth2AuthorizationRequestRepository: store one request by default
Add setAllowMultipleAuthorizationRequests allowing applications to
revert to the previous functionality should they need to do so.

Closes gh-5145
Intentionally regresses gh-5110
2021-05-12 14:59:25 -05:00
Marcus Hert da Coregio 6413511eb6 Update Deprecated Property in Opaque Token Introspectors
Update NimbusOpaqueTokenIntrospector and NimbusReactiveOpaqueTokenIntrospector to use MediaType.APPLICATION_JSON instead of the deprecated MediaType.APPLICATION_JSON_UTF8

Closes gh-9353
2021-05-06 13:47:09 -06:00
Joe Grandja 761e3a9dd8 JwtBearerOAuth2AuthorizedClientProvider checks for access token expiry
Fixes gh-9700
2021-04-30 10:12:38 -04:00
Josh Cummings b0011893d2
Update Copyright
Issue gh-9651
2021-04-20 10:43:20 -06:00
Tibor Koch 5da472f3be Fix ClassCastException
Closes gh-9651
2021-04-20 10:42:52 -06:00
Joe Grandja 26c6570b10 Revert "Lock Dependencies"
This reverts commit b3250c06a9.
2021-04-12 14:42:38 -04:00
Joe Grandja b3250c06a9 Lock Dependencies 2021-04-12 14:19:19 -04:00
Joe Grandja 8850ccb1c6 Revert "Lock Dependencies"
This reverts commit 924ceac681.
2021-04-12 13:47:04 -04:00
Joe Grandja 924ceac681 Lock Dependencies 2021-04-12 13:36:39 -04:00
Josh Cummings 7ded671858
Refactor AuthenticationDetailsSource support
- BearerTokenAuthenticationFilter exposes this directly, simplifying
configuration and removing a package tangle

Closes gh-9576
2021-04-09 12:41:16 -06:00
Joe Grandja b556655290 Make OAuth2AuthorizationResponseType constructor public
Closes gh-9584
2021-04-09 08:01:08 -04:00
Joe Grandja dca7e03b91 Deprecate OAuth2AuthorizationResponseType.TOKEN
Closes gh-9582
2021-04-09 07:46:21 -04:00
Joe Grandja eff4cdc924 Polish gh-9505 2021-04-09 06:22:29 -04:00
Hassene Laaribi 7694aa27cf Add jwt-bearer authorization grant
Closes gh-6053
2021-04-09 06:22:29 -04:00
Joe Grandja 9c97970e26 Add Jwt Client Authentication support
Closes gh-8175
2021-04-08 15:44:33 -04:00
Rob Winch f3f1106624 Update io.spring.javaformat to 0.0.27
Closes gh-9553
2021-04-05 22:23:59 -05:00
Rob Winch 8323590b6c Update r2dbc-spi-test to 0.8.4.RELEASE
Closes gh-9551
2021-04-05 22:23:59 -05:00
Rob Winch 60d3db5798 add management platform(project(":spring-security-dependencies"))
Closes gh-9540
2021-04-05 10:36:36 -05:00
Rob Winch 1a76ee7442 Update Gradle configuration names
Closes gh-9540
2021-04-05 10:36:36 -05:00
Hassene Laaribi b8e47882aa Fix test to use non-expired token
Closes gh-9506
2021-03-17 17:38:08 +01:00
Eleftheria Stein 4a492846f1 Revert "Lock dependencies for 2.5.0-M3"
This reverts commit f05cc6269c.
2021-03-15 23:18:45 +01:00
Eleftheria Stein f05cc6269c Lock dependencies for 2.5.0-M3 2021-03-15 11:00:19 +01:00
Josh Cummings b774e91734
Polish BearerTokenAuthenticationConverter
Issue gh-8840
2021-03-12 15:05:06 -07:00
Jeongjin Kim 31f310fd22
Add BearerTokenAuthenticationConverter
BearerTokenAuthenticationConverter is introduced to solve the
problem of not being able to change AuthenticationDetailsSource.
BearerTokenAuthenticationFilter delegates to
BearerTokenAuthenticationConverter the task of creating
BearerTokenAuthenticationToken and setting AuthenticationDetailsSource.
BearerTokenAuthenticationConverter is customizable and the customized
converter can be used in BearerTokenAuthenticationFilter.

Closes gh-8840
2021-03-12 15:05:06 -07:00
Josh Cummings 71e0967b53
Revert "Lock Dependencies for Release"
This reverts commit 8c04074264.
2021-02-17 15:59:48 -07:00
Josh Cummings 8c04074264
Lock Dependencies for Release 2021-02-17 14:59:17 -07:00
Josh Cummings 5e5ff27109
Configure Jackson for nanosecond precision
Closes gh-9461
2021-02-17 11:53:36 -07:00
Josh Cummings a0a9718b8b
Use Instant with micro-second precision
Closes gh-9449
2021-02-17 11:31:23 -07:00
Josh Cummings cf032d86d6
Revert "Lock Dependencies"
This reverts commit 9535a41d5a.
2021-02-11 18:38:07 -07:00
Josh Cummings 9535a41d5a
Lock Dependencies 2021-02-11 17:43:39 -07:00
Josh Cummings f449da8b78
Revert "Lock Dependencies"
This reverts commit d17ebf53f9.
2021-02-11 17:28:01 -07:00
Josh Cummings d17ebf53f9
Lock Dependencies 2021-02-11 16:56:28 -07:00
Josh Cummings c4be1c6a56
Revert "Lock Dependencies"
This reverts commit a85caa4098.
2021-02-11 15:49:59 -07:00
Josh Cummings a85caa4098
Lock Dependencies 2021-02-11 15:00:38 -07:00
Rob Winch 71f9876c48 Revert "Lock dependencies"
This reverts commit dca4858d81.
2021-02-11 13:38:50 -06:00
Rob Winch dca4858d81 Lock dependencies 2021-02-11 13:00:32 -06:00
Rob Winch ec8f6014d4 Revert "Lock dependencies"
This reverts commit fa5f789beb.
2021-02-11 09:51:54 -06:00
Rob Winch fa5f789beb Lock dependencies 2021-02-11 08:53:40 -06:00
Josh Cummings 02d017abf7
Adjust Test Assertion
- Netty returns a slightly different exception on Windows,
so adjusted assertion accordingly.

Issue gh-9421
2021-02-10 13:20:51 -07:00
Josh Cummings ccb3b02888
Bearer Token Server-side Errors Return 500
Closes gh-9395
2021-02-10 12:35:34 -07:00
Josh Cummings e79141a188
Downgrade nimbus-jose-jwt to 8.+
Closes gh-9399
2021-02-03 13:18:18 -07:00
Joe Grandja 542c625d7d Allow null or empty authorities for DefaultOAuth2User
Make DefaultOAuth2User more inline with other part of
spring-security.
For example,
- DefaultOAuth2AuthenticatedPrincipal
- AbstractAuthenticationToken

Closes gh-9366
2021-02-02 04:43:29 -05:00
Joe Grandja e7acd1219d Allow null or empty authorities for DefaultOAuth2User
Make DefaultOAuth2User more inline with other part of
spring-security.
For example,
- DefaultOAuth2AuthenticatedPrincipal
- AbstractAuthenticationToken

Closes gh-9366
2021-02-02 04:35:39 -05:00
Mayur Patel fc24c7991c Allow null or empty authorities for DefaultOAuth2User
Make DefaultOAuth2User more inline with other part of
spring-security.
For example,
- DefaultOAuth2AuthenticatedPrincipal
- AbstractAuthenticationToken

Closes gh-9366
2021-02-01 17:26:56 -05:00
Mayur Patel 75706f118c Allow null or empty authorities for DefaultOAuth2User
Make DefaultOAuth2User more inline with other part of
spring-security.
For example,
- DefaultOAuth2AuthenticatedPrincipal
- AbstractAuthenticationToken

Closes gh-9366
2021-02-01 17:09:07 -05:00
Benjamin Faal 98399c920a Make user info response status check error only
Closes gh-9336
2021-01-25 11:10:03 -05:00
Benjamin Faal 0f7360e8fa Make user info response status check error only
Closes gh-9336
2021-01-25 10:46:07 -05:00
Benjamin Faal f6b678f137 Make user info response status check error only
Closes gh-9336
2021-01-25 10:23:49 -05:00
Benjamin Faal d85a7cfc4a Make user info response status check error only
Closes gh-9336
2021-01-25 10:02:58 -05:00
tristanessquare 580b988e7f
Fix NullPointerException
- Caused by a malformed WWW-Authenticate value

Closes gh-9364
2021-01-21 16:22:29 -07:00
tristanessquare 56db058fd0
Fix NullPointerException
- Caused by a malformed WWW-Authenticate value
2021-01-21 16:18:23 -07:00
Josh Cummings f36e2fca59
Remove SingleKeyJWSKeySelector
Closes gh-9348
2021-01-15 22:15:56 -07:00
Josh Cummings 6499a235b0
Suppress Compiler Warnings 2021-01-08 11:30:28 -07:00
Josh Cummings 2566abec31
Add Type Parameter
Closes gh-8412
2020-12-11 10:20:18 -07:00
Ovidiu Popa 174b71c017 OidcIdToken cannot be serialized to JSON if token contains claim of type JSONArray or JSONObject
ObjectToListStringConverter and ObjectToMapStringObjectConverter were checking if the source object is of type List or Map and if the first element or key is a String. If we have a JSONArray containing Strings the above check will pass, meaning that a JSONArray will be returned which is not serializable (same applies to JSONObject)

With this change, even if the check is passing a new List or Map will be returned.

Closes gh-9210
2020-12-03 11:42:00 -05:00
Ovidiu Popa 7d31837af3 OidcIdToken cannot be serialized to JSON if token contains claim of type JSONArray or JSONObject
ObjectToListStringConverter and ObjectToMapStringObjectConverter were checking if the source object is of type List or Map and if the first element or key is a String. If we have a JSONArray containing Strings the above check will pass, meaning that a JSONArray will be returned which is not serializable (same applies to JSONObject)

With this change, even if the check is passing a new List or Map will be returned.

Closes gh-9210
2020-12-03 11:20:11 -05:00
Ovidiu Popa b8175bccd2 OidcIdToken cannot be serialized to JSON if token contains claim of type JSONArray or JSONObject
ObjectToListStringConverter and ObjectToMapStringObjectConverter were checking if the source object is of type List or Map and if the first element or key is a String. If we have a JSONArray containing Strings the above check will pass, meaning that a JSONArray will be returned which is not serializable (same applies to JSONObject)

With this change, even if the check is passing a new List or Map will be returned.

Closes gh-9210
2020-12-03 10:54:00 -05:00
Ovidiu Popa d5d0be36f4 OidcIdToken cannot be serialized to JSON if token contains claim of type JSONArray or JSONObject
ObjectToListStringConverter and ObjectToMapStringObjectConverter were checking if the source object is of type List or Map and if the first element or key is a String. If we have a JSONArray containing Strings the above check will pass, meaning that a JSONArray will be returned which is not serializable (same applies to JSONObject)

With this change, even if the check is passing a new List or Map will be returned.

Closes gh-9210
2020-12-03 09:58:30 -05:00
Josh Cummings 1af21a9d02
Revert "Lock Dependencies for 5.4.2"
This reverts commit 046bc9789f.
2020-12-02 22:21:02 -07:00
Josh Cummings 7c2010f507
Revert "Lock Dependencies for 5.3.6"
This reverts commit a153012056.
2020-12-02 19:32:03 -07:00
Josh Cummings 046bc9789f
Lock Dependencies for 5.4.2 2020-12-02 17:36:26 -07:00
Josh Cummings a153012056
Lock Dependencies for 5.3.6 2020-12-02 16:31:52 -07:00
olivier.antoine 808b8c3256 Avoid ClassCastException if principalClaim value is not a String
Closes gh-9212
2020-12-02 16:15:10 -07:00
Joe Grandja 58e3235093 Deprecate ClientAuthenticationMethod BASIC and POST
Closes gh-9220
2020-11-25 15:13:28 -05:00
grimsa c002c6f9f3
Add ClaimAccessor#hasClaim
The new method is intended to replace ClaimAccessor#containsClaim, the
return type of which was non-primitive Boolean. The existing
containsClaim method is now deprecated.

Closes gh-9201
2020-11-25 11:58:17 -07:00
Josh Cummings b0d4e500a8
Polish Add DelegatingJwtGrantedAuthoritiesConverter
- Adjusted internal logic to follow DelegatingOAuth2TokenValidator
- Changed JavaDoc to align more closely with
JwtGrantedAuthoritiesConverter
- Polished test names to follow Spring Security naming convention
- Updated test class name to follow Spring Security naming convention
- Polished tests to use TestJwts
- Added tests to address additional use cases

Closes gh-7596
2020-11-24 15:31:07 -07:00
Ropi 97cc119d86
Add DelegatingJwtGrantedAuthoritiesConverter
Closes gh-7596
2020-11-24 14:18:40 -07:00
Josh Cummings af669a2166
Remove Reliance on BearerTokenResolver
Closes gh-9186
2020-11-12 15:40:55 -07:00
Joe Grandja 61550f8a48 Add convenience constructor in OAuth2AuthenticationException
Closes gh-9190
2020-11-04 13:37:14 -05:00
Joe Grandja b95e1aa209 Revert "Lock dependencies for 5.5.0-M1"
This reverts commit 25a7482c8c.
2020-11-03 19:53:28 -05:00
Arvid Ottenberg d0d655e18d
Allow Customization of Bearer Token Resolution
Closes gh-8535
2020-11-03 14:34:46 -07:00
Joe Grandja 9d1637d2cd Add unsupported_token_type to OAuth2ErrorCodes
Closes gh-9184
2020-11-03 14:11:01 -05:00
Joe Grandja dafedf93fa Fix format gh-9183 2020-11-03 14:00:07 -05:00
Joe Grandja aeb999eae2 Add token and token_type_hint to OAuth2ParameterNames
Closes gh-9183
2020-11-03 13:42:28 -05:00
Joe Grandja 0c25b8c1f9 Introduce JwaAlgorithm
Closes gh-9182
2020-11-03 13:03:50 -05:00
Joe Grandja c069692ab9 Extract OAuth2Token from AbstractOAuth2Token
Closes gh-5502
2020-11-02 20:35:08 -05:00
Rob Winch 25a7482c8c Lock dependencies for 5.5.0-M1 2020-10-30 17:52:03 -05:00
Ovidiu Popa 6724e3e514 Provide a R2dbc implementation of ReactiveOuath2AuthorizedClientService
Implement R2dbcReactiveOuath2AuthorizedClientService which persists the
Oauth2AuthorizedClient in a sql database

R2dbcReactiveOuath2AuthorizedClientService is using the spring-r2dbc
module to persist/load Oauth2AuthorizedClient to/from a sql database

Add optional depedency to the spring-r2dbc module
Add test compile dependencies to r2dbc-h2 and r2dbc-test

Closes gh-7890
2020-10-29 15:44:12 -04:00
Christian Mouttet 6486857462 JwtIssuerValidator handles issuer (iss) claim values as Strings and URLs
- NimbusJwtDecoder uses claim set converters: issuer claim is converted to an URL object
- JwtIssuerValidator (created by JwtValidators.createDefaultWithIssuer(String)) wraps a JwtClaimValidator<String>
- because of different data types, equal() is always false

This change allows both Strings and URLs as values of the issuer

Closes gh-9136
2020-10-28 14:20:27 -06:00
Joe Grandja b182d9def1 Fix code formatting
Issue gh-9146
2020-10-22 13:30:48 -04:00
Alexey Nesterov 339da36878 Add refresh token expiration support
Closes gh-9146
2020-10-22 12:41:48 -04:00
Craig Andrews 42a787d1f6 Add Postgres sql for JDBC implementation of OAuth2AuthorizedClientService
Postgres doesn't have a BLOB type, but it does have an equivalent BYTEA
type.
This approach and naming convention follows the convention established
in Spring Session JDBC which has sql for each RDBMS with files names in
the pattern *-{dbname}.sql, for example:
schema-db2.sql
schema-derby.sql
schema-h2.sql
schema-mysql.sql
schema-postgresql.sql

See https://github.com/spring-projects/spring-session/tree/2.3.1.RELEASE/spring-session-jdbc/src/main/resources/org/springframework/session/jdbc

Issue gh-9070
2020-10-22 09:56:20 -04:00
Craig Andrews 05dc326389 Use LobHandler in JdbcOAuth2AuthorizedClientService
LobHandler provides an abstraction for handling large binary fields and large text
fields in specific databases, no matter if represented as simple types or
Large OBjects.

Its use provides compatibility with many databases eliminating the need
for custom OAuth2AuthorizedClientParametersMapper and
OAuth2AuthorizedClientRowMapper implementations.

Closes gh-9070
2020-10-22 09:56:20 -04:00
Josh Cummings 366146ff80
Polish JWT Signature Algorithm Discovery
- Moved support to JwtDecoders and ReactiveJwtDecoders since there is
already the expectation that those classes make an outbound connection
to complete configuration. Since there's no outbound connection when
configuring a NimbusJwtDecoder or NimbusReactiveJwtDecoder, it would be
more intrusive to change that.

Closes gh-7160
2020-10-09 14:17:30 -06:00
Nick Hitchan 290786438c
Add Support for JWK Signature Algorithm Discovery
Issue gh-7160
2020-10-09 13:09:38 -06:00
Josh Cummings 2dcfda7fac
Revert "Lock Dependencies for 5.3.5.RELEASE"
This reverts commit 846a5a962c.
2020-10-07 16:39:28 -06:00
Josh Cummings 84737e7b23
Revert "Lock Dependencies for 5.4.1"
This reverts commit 48ac47418d.
2020-10-07 16:38:48 -06:00
Josh Cummings 48ac47418d
Lock Dependencies for 5.4.1 2020-10-07 16:01:34 -06:00
Josh Cummings 846a5a962c
Lock Dependencies for 5.3.5.RELEASE 2020-10-07 13:18:01 -06:00
Phillip Webb c502312719 Replace expected @Test attributes with AssertJ
Replace JUnit expected @Test attributes with AssertJ calls.
2020-09-22 16:13:51 -06:00
Phillip Webb 20baa7d409 Replace ExpectedException @Rules with AssertJ
Replace JUnit ExpectedException @Rules with AssertJ calls.
2020-09-22 16:13:51 -06:00
Joe Grandja 6e6d382357 Adapt to WebClient's new exception wrapping
See https://github.com/spring-projects/spring-framework/issues/23842

Closes gh-9031
2020-09-17 12:21:51 -04:00
Joe Grandja 7b1f574769 Revert "Lock Dependency Versions for 5.4.0"
This reverts commit 3d0e459182.
2020-09-09 18:14:12 -04:00
Joe Grandja 3d0e459182 Lock Dependency Versions for 5.4.0 2020-09-09 13:45:03 -04:00
Josh Cummings bf067d679f
Add Logging to Resource Server
Closes gh-9000
2020-09-08 13:09:33 -06:00
Rob Winch 2abf59b695 Merge Formatting Changes
Issue gh-8945
2020-08-24 17:33:23 -05:00
Rob Winch 36ae1fe3f9 Polish oauth2-resource-server format
Issue gh-8945
2020-08-24 17:33:09 -05:00
Rob Winch d5ae4337e3 Polish oauth2-jose format
Issue gh-8945
2020-08-24 17:33:09 -05:00
Rob Winch a729d24d47 Polish oauth2-core format
Issue gh-8945
2020-08-24 17:33:09 -05:00
Rob Winch dc47a7575e Polish oauth-client format
Issue gh-8945
2020-08-24 17:33:09 -05:00
Phillip Webb 319d3364aa Migrate to assertThatExceptionOfType
Consistently use `assertThatExceptionOfType(...).isThrownBy(...)`
rather than `assertThatCode` or `assertThatThrownBy`. This aligns with
Spring Boot and Spring Cloud. It also allows the convenience
`assertThatIllegalArgument` and `assertThatIllegalState` methods to
be used.

Issue gh-8945
2020-08-24 17:33:09 -05:00
Phillip Webb 2f8e835b11 Use assertThatObject to save casting
Update tests that use `assertThat((Object) ...)` to use the convenience
`assertThatObject(...)` method instead.

Issue gh-8945
2020-08-24 17:33:09 -05:00
Phillip Webb 0a3eeb9c80 Remove incorrect AssertJ imports
Fix a few tests that were accidentally importing incorrect AssertJ
classes.

Issue gh-8945
2020-08-24 17:33:09 -05:00
Phillip Webb a5aa6b3d7f Remove blank lines from all tests
Remove all blank lines from test code so that test methods are
visually grouped together. This generally helps to make the test
classes easer to scan, however, the "given" / "when" / "then"
blocks used by some tests are now not as easy to discern.

Issue gh-8945
2020-08-24 17:33:09 -05:00
Phillip Webb ba19a9e4b6 Polish spring-security-oauth2-resource-server main code
Manually polish `spring-security-oauth-resource-server`
following the formatting and checkstyle fixes.

Issue gh-8945
2020-08-24 17:33:09 -05:00
Phillip Webb 20aa8bef25 Polish spring-security-oauth2-jose main code
Manually polish `spring-security-oauth-jose` following the
formatting and checkstyle fixes.

Issue gh-8945
2020-08-24 17:33:09 -05:00
Phillip Webb a577871bca Polish spring-security-oauth2-core main code
Manually polish `spring-security-oauth-core` following the
formatting and checkstyle fixes.

Issue gh-8945
2020-08-24 17:33:09 -05:00
Phillip Webb 7a715f9086 Polish spring-security-oauth2-client main code
Manually polish `spring-security-oauth-cleint` following the
formatting and checkstyle fixes.

Issue gh-8945
2020-08-24 17:33:09 -05:00
Phillip Webb 834dcf5bcf Use consistent ternary expression style
Update all ternary expressions so that the condition is always in
parentheses and "not equals" is used in the test. This helps to bring
consistency across the codebase which makes ternary expression easier
to scan.

For example: `a = (a != null) ? a : b`

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb 8d3f039f76 Reduce method visibility when possible
Reduce method visibility for package private classes when possible.

In the case of abstract classes that will eventually be made public,
the class has been made public and a package-private constructor has
been added.

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb 612fb22a7f Remove unnecessary lambda blocks
Remove lambda blocks that aren't needed and replace instead with a
simple expression.

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb 52f20b5281 Use parenthesis with single-arg lambdas
Use regular expression search/replace to ensure all single-arg
lambdas have parenthesis. This aligns with the style used in Spring
Boot and ensure that single-arg and multi-arg lambdas are consistent.

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb 01d90c9881 Hide utility class constructors
Update all utility classes so that they have a private constructor. This
prevents users from accidentally creating an instance, when they should
just use the static methods directly.

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb ff94944313 Add whitespace after copyright header
Add an additional lines after the copyright header and before the
`package` declaration. This aligns with the style used by Spring
Framework.

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb 31ec450d05 Remove superfluous comments
Remove a few comments that previously add noise but don't offer a great
deal of value.

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb 8d80166aaf Update exception variable names
Consistently use `ex` for caught exception and `cause` for Exception
constructor arguments.

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb e9130489a6 Remove restricted static imports
Replace static imports with class referenced methods. With the exception
of a few well known static imports, checkstyle restricts the static
imports that a class can use. For example, `asList(...)` would be
replaced with `Arrays.asList(...)`.

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb db55ef4b3b Migrate to BDD Mockito
Migrate Mockito imports to use the BDD variant. This aligns better with
the "given" / "when" / "then" style used in most tests since the "given"
block now uses Mockito `given(...)` calls.

The commit also updates a few tests that were accidentally using
Power Mockito when regular Mockito could be used.

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb 18f3d13363 Fix parenthesis padding issues
Fix a few parenthesis padding issues caused by the formatter.

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb 81fe9fc640 Make all exception classes immutable
Update all exception classes so that they are fully immutable and cannot
be changed once they have been thrown.

Issue gh-8945
2020-08-24 17:33:07 -05:00
Phillip Webb a0b9442265 Use consistent modifier order
Update code to use a consistent modifier order that aligns with that
used in the "Java Language specification".

Issue gh-8945
2020-08-24 17:33:07 -05:00
Phillip Webb a2f2e9ac8d Move inner-types so that they are always last
Move all inner-types so that they are consistently the last item
defined. This aligns with the style used by Spring Framework and
the consistency generally makes it easier to scan the source.

Issue gh-8945
2020-08-24 17:33:07 -05:00
Phillip Webb 418c3d6808 Avoid inner assignments
Replace code of the form `a = b =c` with distinct statements. Although
this results in more lines of code, they are usually easier to
understand.

Issue gh-8945
2020-08-24 17:33:07 -05:00
Phillip Webb 9e08b51ed3 Apply code cleanup rules to projects
Apply automated cleanup rules to add `@Override` and `@Deprecated`
annotations and to fix class references used with static methods.

Issue gh-8945
2020-08-24 17:33:07 -05:00
Phillip Webb 8866fa6fb0 Always use 'this.' when accessing fields
Apply an Eclipse cleanup rules to ensure that fields are always accessed
using `this.`. This aligns with the style used by Spring Framework and
helps users quickly see the difference between a local and member
variable.

Issue gh-8945
2020-08-24 17:33:07 -05:00
Phillip Webb 6894ff5d12 Make classes final where possible
Update classes that have private constructors so that they are also
declared final. In a few cases, inner-classes used private constructors
but were subclassed. These have now been changed to have package-private
constructors.

Issue gh-8945
2020-08-24 17:33:07 -05:00
Phillip Webb 37fa94fafc Organize imports
Use "organize imports" from Eclipse to cleanup import statements so
that they appear in a consistent and well defined order.

Issue gh-8945
2020-08-24 17:33:07 -05:00
Phillip Webb 5f64f53c3f Use consistent "@" tag order in Javadoc
Ensure that Javadoc "@" tags appear in a consistent and well defined
order.

Issue gh-8945
2020-08-24 17:33:07 -05:00
Phillip Webb b7fc18262d Reformat code using spring-javaformat
Run `./gradlew format` to reformat all java files.

Issue gh-8945
2020-08-24 17:32:56 -05:00
Martin Vietz 0486d5add9 scopes_supported metadata not used as default in ClientRegistrations
Closes gh-8514
2020-08-20 08:09:54 -04:00
Phillip Webb 27ac046d8a Rename *Test.java -> *Tests.java
Rename a few test classes that accidentally ended in `Test` instead of
`Tests`.

Issue gh-8945
2020-08-10 16:24:44 -05:00
Joe Grandja 1d74d556c2 Revert "Lock Dependency Versions for 5.4.0-RC1"
This reverts commit f3a1e5d40c.
2020-08-05 14:59:11 -04:00
Joe Grandja f3a1e5d40c Lock Dependency Versions for 5.4.0-RC1 2020-08-05 13:46:11 -04:00
Eleftheria Stein d8bef76a0f Unlock dependencies
This reverts commit b619d298aa.
2020-08-05 18:18:02 +02:00
Eleftheria Stein b619d298aa Lock Dependencies for 5.3.4.RELEASE 2020-08-05 12:33:31 +02:00
Joe Grandja 3bc0b8c144 Revert "Fix snapshot build failure related to reactor-netty"
This reverts commit f37714a26f.
2020-08-04 14:24:32 -04:00
Joe Grandja f37714a26f Fix snapshot build failure related to reactor-netty
Closes gh-8909
2020-08-04 14:17:03 -04:00
Joe Grandja 8146b1fdda Deprecate CustomUserTypesOAuth2UserService
Closes gh-8908
2020-08-04 13:23:44 -04:00
Joe Grandja 73e550a867 Polish gh-8906 2020-08-04 11:16:26 -04:00
Joe Grandja 0ed919f072 Deprecate ClientRegistration.redirectUriTemplate
Closes gh-8906
2020-08-04 11:03:29 -04:00
Joe Grandja a0c10f2df6 Allow for custom ClientRegistration.clientAuthenticationMethod
Closes gh-8903
2020-08-04 08:48:56 -04:00
Joe Grandja 4e5a304a8a Remove use of Mono.deferWithContext()
Closes gh-8901
2020-08-04 07:26:32 -04:00
Dávid Kováč da4bd22c6d Resolve Bearer token after subscribing to publisher
Bearer token was resolved immediately after calling method convert. In situations when malformed token was provided or authorization header and access token query param were present in request exception was thrown instead of signalling error.
After this change Bearer token is resolved on subscription and invalid states are handled by signaling error to subscriber.

Closes gh-8865
2020-08-03 11:11:09 -05:00
Dávid Kováč d104490cb8 Resolve Bearer token after subscribing to publisher
Bearer token was resolved immediately after calling method convert. In situations when malformed token was provided or authorization header and access token query param were present in request exception was thrown instead of signalling error.
After this change Bearer token is resolved on subscription and invalid states are handled by signaling error to subscriber.

Closes gh-8865
2020-08-03 11:09:48 -05:00
Dávid Kováč dfaf251970 Resolve Bearer token after subscribing to publisher
Bearer token was resolved immediately after calling method convert. In situations when malformed token was provided or authorization header and access token query param were present in request exception was thrown instead of signalling error.
After this change Bearer token is resolved on subscription and invalid states are handled by signaling error to subscriber.

Closes gh-8865
2020-08-03 11:04:21 -05:00
Josh Cummings fd669f751d
Remove unused import
Issue gh-8589
2020-07-31 08:45:47 -06:00
Josh Cummings c2612a2f41
Remove unused import
Issue gh-8589
2020-07-31 08:45:17 -06:00
Josh Cummings f6e47830fe
Remove unused import
Issue gh-8589
2020-07-31 08:37:32 -06:00
Josh Cummings 510d1b8121
Polish to Avoid NPE
Issue gh-5648

Co-authored-by: MattyA <mat.auburn@gmail.com>
2020-07-30 17:59:31 -06:00
Josh Cummings 2f80b8a5be
Additional Jwt Validation Debug Messages
Closes gh-8589

Co-authored-by: MattyA <mat.auburn@gmail.com>
2020-07-30 17:58:16 -06:00
Josh Cummings f3695932de
Polish to Avoid NPE
Issue gh-5648

Co-authored-by: MattyA <mat.auburn@gmail.com>
2020-07-30 17:28:07 -06:00
Josh Cummings 950769fa00
Additional Jwt Validation Debug Messages
Closes gh-8589

Co-authored-by: MattyA <mat.auburn@gmail.com>
2020-07-30 17:21:58 -06:00
Josh Cummings 90e5f45e1f
Polish to Avoid NPE
Issue gh-5648

Co-authored-by: MattyA <mat.auburn@gmail.com>
2020-07-30 16:56:41 -06:00
Josh Cummings b2728059ae
Additional Jwt Validation Debug Messages
Closes gh-8589

Co-authored-by: MattyA <mat.auburn@gmail.com>
2020-07-30 16:56:37 -06:00
Dennis Neufeld 57db8e5d4a Add OAuth2AuthenticationException to allowlist
Add mixins for
- OAuth2AuthenticationException
- OAuth2Error

Closes gh-8797
2020-07-21 10:15:44 -04:00
Dennis Neufeld de572be8e9 Add OAuth2AuthenticationException to allowlist
Add mixins for
- OAuth2AuthenticationException
- OAuth2Error

Closes gh-8797
2020-07-21 10:14:45 -04:00
Josh Cummings 9d8920f1b1
Polish Bearer Token Padding
Issue gh-8502
2020-07-16 12:22:45 -06:00
kothasa 6519029340
Bearer Token Padding
Closes gh-8502
2020-07-16 12:22:32 -06:00
Josh Cummings 9045636a4b
Polish Bearer Token Padding
Issue gh-8502
2020-07-16 11:56:55 -06:00
kothasa 09e154d8f2
Bearer Token Padding
Closes gh-8502
2020-07-16 11:53:36 -06:00
Josh Cummings d3bea02124
Polish Bearer Token Padding
Issue gh-8502
2020-07-15 18:14:39 -06:00
kothasa d38dabac02
Bearer Token Padding
Closes gh-8502
2020-07-15 18:13:51 -06:00
Josh Cummings 221c33f558
Polish OAuth2IntrospectionAuthenticatedPrincipal
Removed some duplication by delegating to
DefaultOAuth2AuthenticatedPrincipal

Changed order of listed interfaces to satisfy compiler issue. When
listed with OAuth2AuthenticatedPrincipal first, then
OAuth2ResourceServerBeanDefinitionParserTests would fail to import
OpaqueTokenBeanDefinitionParser. Switching
OAuth2AuthenticatedPrincipal with OAuth2IntrospectionClaimAccessor
resolved the compilation issue.

Issue gh-6489
2020-07-09 18:01:55 -06:00
Dávid Kováč af1c96b425
Simplify OAuth 2.0 Introspection Attribute Retrieval
In order to simplify retrieving of OAuth 2.0 Introspection specific
attributes, OAuth2IntrospectionClaimAccessor interface was introduced
and also new OAuth2AuthenticatedPrincipal implementing this new
interface (OAuth2IntrospectionAuthenticatedPrincipal).

Also DefaultOAuth2AuthenticatedPrincipal was replaced by
OAuth2IntrospectionAuthenticatedPrincipal in cases where OAuth 2.0
Introspection is performed (NimbusOpaqueTokenIntrospector,
NimbusReactiveOpaqueTokenIntrospector).

DefaultOAuth2AuthenticatedPrincipal can be still used by applications
that introspected the token without OAuth 2.0 Introspection.

OAuth2IntrospectionAuthenticatedPrincipal will also be used as a
default principal in tests where request is post-processed/mutated
by OpaqueTokenRequestPostProcessor/OpaqueTokenMutator.

Closes gh-6489
2020-07-09 17:26:13 -06:00
Joe Grandja b69bcf88e0 Improve error message when invalid content-type for UserInfo response
Closes gh-8764
2020-07-09 14:10:14 -04:00
Julian Müller 4fec451196 Enables empty authorityPrefix
- docs stated that empty authorityPrefix are allowed but implementation denied to use `""`
- commit removes the `hasText`-limitation but restricts to `notNull`

Fixes gh-8421
2020-07-07 15:24:38 +02:00
Josh Cummings 146d0b6358
Revert "Lock Dependency Versions for 5.4.0-M2"
This reverts commit 68538897c8.
2020-07-01 13:11:50 -06:00
Josh Cummings 68538897c8
Lock Dependency Versions for 5.4.0-M2 2020-07-01 12:40:29 -06:00
Eleftheria Stein 7af5804d56 Compare Timestamps up to the millisecond
Issue gh-8782
2020-07-01 11:30:27 +02:00
Eleftheria Stein eb7b27695d Compare Timestamps up to the millisecond
Issue gh-8782
2020-07-01 11:12:55 +02:00
Benjamin Bargeton 497ef5e74e OAuth2AccessTokenResponse.Builder.expiresIn works after withResponse
Closes gh-8702
2020-06-30 15:15:10 -04:00
Jan Oopkaup d31fff11b3
Add Post-Processor for JWTProcessor Configuration
Extends all existing builders in NimbusJwtDecoder and NimbusReactiveJwtDecoder with a
post-processor hook to apply changes on the JWTProcessor used for token verification.
Test cases added show how this is used to configure the JWTProcessor to allow additional
JWT typ headers.

Closes gh-8730
2020-06-26 07:52:16 -06:00
Joe Grandja 659b25a4e5 Fix typo in OAuth2AccessTokenResponse
Closes gh-8746
2020-06-22 08:21:59 -04:00
Rob Winch ca1252be94 Replace whitelist with allowlist
Issue gh-8676
2020-06-10 11:49:21 -05:00
Joe Grandja da4b626bf1 OAuth2LoginAuthenticationWebFilter should handle OAuth2AuthorizationException
Issue gh-8609
2020-06-09 17:28:21 -04:00
Joe Grandja 4c902bb857 OAuth2AuthorizationCodeGrantWebFilter should handle OAuth2AuthorizationException
Fixes gh-8609
2020-06-09 17:28:21 -04:00
Joe Grandja 674e2c0a8e OAuth2LoginAuthenticationWebFilter should handle OAuth2AuthorizationException
Issue gh-8609
2020-06-09 16:24:00 -04:00
Joe Grandja 11c1236261 OAuth2AuthorizationCodeGrantWebFilter should handle OAuth2AuthorizationException
Fixes gh-8609
2020-06-09 16:24:00 -04:00
Joe Grandja 38c1e3ffa8 OAuth2LoginAuthenticationWebFilter should handle OAuth2AuthorizationException
Issue gh-8609
2020-06-09 15:27:32 -04:00
Joe Grandja acf56f24a6 OAuth2AuthorizationCodeGrantWebFilter should handle OAuth2AuthorizationException
Fixes gh-8609
2020-06-09 15:21:07 -04:00
Josh Cummings 1d821a2664
Add Ticket Number to Test
Issue gh-8650
2020-06-05 14:24:49 -06:00
Erik Bakker cd3fd6762f
Don't Consume Request Body
Per the servlet spec, getParameter(name) consumes the request body for
POST requests.

This commit prevents DefaultOAuth2AuthorizationRequestResolver from
consuming the request body for non-Authorization requests.

Closes gh-8650
2020-06-05 14:21:00 -06:00
Josh Cummings bbd2a9ebae
Revert "Lock Dependencies for 5.3.3.RELEASE"
This reverts commit 116bfe01e6.
2020-06-03 16:11:59 -06:00
Josh Cummings 116bfe01e6
Lock Dependencies for 5.3.3.RELEASE 2020-06-03 13:14:07 -06:00
Parikshit Dutta 28d2cfa14a Add ServerRequestCache setter in OAuth2AuthorizationCodeGrantWebFilter
Fixes gh-8536
2020-06-02 21:54:09 -04:00
Josh Cummings aa84c79e87
Use Nimbus Multiple Algorithm Support
Closes gh-8623
2020-06-02 12:49:21 -06:00
Parikshit Dutta 1e211b6558 Add RequestCache setter in OAuth2AuthorizationCodeGrantFilter
Fixes gh-8120
2020-05-15 15:13:15 -04:00
Joe Grandja c1abc9b134 Polish gh-8501 2020-05-15 13:26:09 -04:00
Thomas Vitale 78fa859798 Add issuerUri to ClientRegistration.providerDetails
- Add "issuerUri" attribute to ClientRegistration.providerDetails for OpenID Connect Discovery 1.0 or OAuth 2.0 Authorization Server Metadata.
- Validate OidcIdToken "iss" claim against the OpenID Provider "issuerUri" value.
- Update documentation for client registration: it includes issuer-uri property now.

Fixes gh-8326
2020-05-14 17:13:07 -04:00
Joe Grandja 86ca6b013c Unlock dependencies
This reverts commit 206960cf44.
2020-05-06 17:27:35 -04:00
Joe Grandja 206960cf44 Lock dependencies for 5.4.0-M1 2020-05-06 17:13:04 -04:00
Joe Grandja 413dfc8679 Unlock dependencies
This reverts commit a61145f74c.
2020-05-06 15:29:45 -04:00
Joe Grandja a61145f74c Lock dependencies for 5.3.2.RELEASE 2020-05-06 15:06:08 -04:00
Stav Shamir 6f2359ccae Support update when saving with JdbcOAuth2AuthorizedClientService
Before this commit, JdbcOAuth2AuthorizedClientService threw DuplicateKeyException when re-authorizing or when authorizing the same user from a different client.

This commit makes JdbcOAuth2AuthorizedClientService's saveAuthorizedClient method consistent with that of InMemoryOAuth2AuthorizedClientService.

Fixes gh-8425
2020-04-29 09:18:54 -04:00
Stav Shamir a783fbc641 Support update when saving with JdbcOAuth2AuthorizedClientService
Before this commit, JdbcOAuth2AuthorizedClientService threw DuplicateKeyException when re-authorizing or when authorizing the same user from a different client.

This commit makes JdbcOAuth2AuthorizedClientService's saveAuthorizedClient method consistent with that of InMemoryOAuth2AuthorizedClientService.

Fixes gh-8425
2020-04-29 07:37:57 -04:00
Julian Müller 9dd68f86d3 Enables empty authorityPrefix
- docs stated that empty authorityPrefix are allowed but implementation denied to use `""`
- commit removes the `hasText`-limitation but restricts to `notNull`

Fixes gh-8421
2020-04-22 08:55:54 -05:00
Julian Müller 60d4d5b7ee Enables empty authorityPrefix
- docs stated that empty authorityPrefix are allowed but implementation denied to use `""`
- commit removes the `hasText`-limitation but restricts to `notNull`

Fixes gh-8421
2020-04-22 08:52:54 -05:00
Daniel Furtlehner 32ce94d2dd Validate ID Token Issuer
When the issuer is set in the provider metadata, we validate the iss
field of the ID Token against it.

The OpenID Connect Specification says this must always be validated.
But this would be a breaking change for applications configured other
than with ClientRegistrations.fromOidcIssuerLocation(issuer). This will
be done later with #8326

Fixes gh-8321
2020-04-21 20:30:01 -04:00
Antonin Arquey 5cd1ec7bb3 Add AuthoritiesMapper setter for reactive OAuth2Login
Allow the configuration of a custom GrantedAuthorityMapper for reactive OAuth2Login

- Add setter in OidcAuthorizationCodeReactiveAuthenticationManager
  and OAuth2LoginReactiveAuthenticationManager

- Use an available GrantedAuthorityMapper bean to configure the default ReactiveAuthenticationManager

Fixes gh-8324
2020-04-17 16:55:05 -04:00
Evgeniy Cheban a70d55552b
Resource Server Finds JwtAuthenticationConverter Beans
Fixes gh-8185
2020-04-13 22:47:20 -06:00
Josh Cummings 10aa9743ed
Polish NimbusJwtDecoder
- Follow convention to prefix member variable references with "this."
- Reduce stack trace when IOException is thrown
- Name tests to follow conventions

Issue gh-8332
2020-04-10 16:45:01 -06:00
Mykyta Bezverkhyi 9133cc24e4
Add Cache to NimbusJwtDecoderJwkSetUriBuilder
PR gh-8332
2020-04-10 16:45:01 -06:00
Teddy Reinert 2f8eb16d76
Allow custom header during bearer token extraction
Added ability to specify the header that
ServerBearerTokenAuthenticationConverter and
DefaultBearerTokenResolver use to extract a Bearer Token.

Fixes gh-8337
2020-04-09 10:36:03 -06:00
Evgeniy Cheban 25fb1f417d Added setPrincipalClaimName to JwtAuthenticationConverter
Fixes gh-8186
2020-04-07 16:20:43 -06:00
Joe Grandja a78872f268 Unlock dependencies for 5.3.1.RELEASE
This reverts commit 88c02684bb.
2020-03-31 17:53:13 -04:00
Joe Grandja 88c02684bb Lock dependencies for 5.3.1.RELEASE 2020-03-31 17:28:36 -04:00
Ruby Hartono 401597c673 Improve OAuth2LoginAuthenticationProvider
1. update OAuth2LoginAuthenticationProvider to use
OAuth2AuthorizationCodeAuthenticationProvider
2. apply fix gh-5368 for OAuth2AuthorizationCodeAuthenticationProvider
to return additionalParameters value from accessTokenResponse

Fixes gh-5633
2020-03-30 21:09:17 -04:00
Ruby Hartono 45eb34c9a6 Improve OAuth2LoginAuthenticationProvider
1. update OAuth2LoginAuthenticationProvider to use
OAuth2AuthorizationCodeAuthenticationProvider
2. apply fix gh-5368 for OAuth2AuthorizationCodeAuthenticationProvider
to return additionalParameters value from accessTokenResponse

Fixes gh-5633
2020-03-30 21:08:59 -04:00
Ruby Hartono 71b4248fe6 Improve OAuth2LoginAuthenticationProvider
1. update OAuth2LoginAuthenticationProvider to use
OAuth2AuthorizationCodeAuthenticationProvider
2. apply fix gh-5368 for OAuth2AuthorizationCodeAuthenticationProvider
to return additionalParameters value from accessTokenResponse

Fixes gh-5633
2020-03-30 20:55:43 -04:00
Martin Nemec a9a9c2c0fd OAuth2 ClientRegistrations NPE fix when userinfo missing
Fixes gh-8187
2020-03-27 06:15:25 -04:00
Martin Nemec dfc25dc245 OAuth2 ClientRegistrations NPE fix when userinfo missing
Fixes gh-8187
2020-03-27 06:13:50 -04:00
Martin Nemec 75c05d0bb4 OAuth2 ClientRegistrations NPE fix when userinfo missing
Fixes gh-8187
2020-03-27 05:58:28 -04:00
Joe Grandja f06aa724bf OAuth2ErrorHttpMessageConverter handles JSON object parameters
Fixes gh-8157
2020-03-24 14:57:24 -04:00
Joe Grandja 044c30c3bc OAuth2ErrorHttpMessageConverter handles JSON object parameters
Fixes gh-8157
2020-03-24 14:56:51 -04:00
Joe Grandja 93ed92cc94 OAuth2ErrorHttpMessageConverter handles JSON object parameters
Fixes gh-8157
2020-03-24 14:51:04 -04:00
Joe Grandja a1bcd4ed00 Fix OAuth2AuthorizationRequest additionalParameters/attributes Consumer
Fixes gh-8177
2020-03-24 13:59:36 -04:00
Joe Grandja 46baf38f59 Fix OAuth2AuthorizationRequest additionalParameters/attributes Consumer
Fixes gh-8177
2020-03-24 13:44:09 -04:00
Joe Grandja 2d8242c5c1 Assign sensible default for OAuth2AuthorizedClientProvider
Fixes gh-8150
2020-03-19 11:50:48 -04:00
Joe Grandja a9dabf6efb Assign sensible default for OAuth2AuthorizedClientProvider
Fixes gh-8150
2020-03-19 11:44:30 -04:00
Joe Grandja 5e0e5b6ed4 Fix NPE when token response contains a null value
Fixes gh-8108
2020-03-16 15:59:19 -04:00
Joe Grandja 26414ad3af Fix NPE when token response contains a null value
Fixes gh-8108
2020-03-16 15:56:59 -04:00
Josh Cummings 6eadf7b140
Unlock dependencies for 5.3.0.RELEASE
This reverts commit 147d7dadd7.
2020-03-04 12:02:48 -07:00
Josh Cummings 147d7dadd7
Lock dependencies for 5.3.0.RELEASE 2020-03-04 10:28:39 -07:00
Roman Matiushchenko 9d66f2ccce polish gh-7996
Make defensive collection copy as Collections.unmodifiableCollection
does not protect from the source collection direct modification.
Use Mono#map instead of Mono#flatMap as it allocates less.
Use less operators to reduce allocations.
Use lambda parameter instead of outer method parameter
in authenticationManagers#computeIfAbsent()
to make it non capturing so it could be cached by JVM.
Propagate cause for InvalidBearerTokenException.
2020-02-27 09:29:43 -07:00
Roman Matiushchenko 04e671fb4d Instantiate exceptions lazily
Add lazy Exception instantiation to reduce allocations

Fixes gh-7995
2020-02-27 09:29:43 -07:00
Josh Cummings 968ebb194b
baseUrl placeholder for OidcLogoutSuccessHandlers
Fixes gh-7842
2020-02-25 13:35:50 -07:00
Josh Cummings 283e451cad
Update JwtDecoders tests
Issue gh-7860
2020-02-25 13:33:20 -07:00
Zeeshan Adnan 431cd6000b
Add JwtClaimValidator
Fixes gh-7860
2020-02-25 13:32:41 -07:00
Joe Grandja 3dbfef9ef1 OAuth2AccessTokenResponseHttpMessageConverter handles JSON object parameters
Fixes gh-6463
2020-02-24 15:58:25 -05:00
Joe Grandja fb2bbd74dc OAuth2AccessTokenResponseHttpMessageConverter handles JSON object parameters
Fixes gh-6463
2020-02-24 15:36:53 -05:00
Joe Grandja fa73b1397a Add missing @FunctionalInterface in oauth2 modules
Fixes gh-8020
2020-02-24 11:53:30 -05:00
Joe Grandja 3e5600f83f Add configurable Clock in OidcIdTokenValidator
Fixes gh-8019
2020-02-24 11:21:03 -05:00
Joe Grandja 7734d049eb Polish javadoc gh-7511 2020-02-24 10:35:58 -05:00
Joe Grandja d32c98b1c5 Add OAuth2AuthorizeRequest.Builder.principal(String)
Fixes gh-8018
2020-02-24 09:58:38 -05:00
Joe Grandja c6da7b2dd6 Polish gh-7840 2020-02-24 09:28:00 -05:00
Joe Grandja 65b5d468fb Deprecate UnAuthenticatedServerOAuth2AuthorizedClientRepository
Fixes gh-8016
2020-02-24 06:50:58 -05:00
Joe Grandja 4e2f1988f2 Polish Fix package tangles
Issue #7699 #7840
2020-02-24 06:42:00 -05:00
Joe Grandja 82cd203791 Remove unnecessary mocking
Fixes gh-8012
2020-02-23 19:35:16 -05:00
Joe Grandja 204a612be1 Deprecate Implicit Grant
Fixes gh-8013
2020-02-23 19:34:52 -05:00
Joe Grandja c8cc9717c9 Fix package tangles
Issue #7699 #7840
2020-02-23 07:24:36 -05:00
Joe Grandja f2da2c56be Resolve OAuth2Error from WWW-Authenticate header
Issue gh-7699
2020-02-21 15:12:58 -05:00
Joe Grandja 69156b741d Add OAuth2Authorization success/failure handlers
Fixes gh-7840
2020-02-21 15:12:58 -05:00
Joe Grandja 23ce717380 Simplify customizing OAuth2AuthorizationRequest
Fixes gh-7696
2020-02-19 06:22:07 -05:00
Joe Grandja de8b558561 Add JDBC implementation of OAuth2AuthorizedClientService
Fixes gh-7655
2020-02-13 12:17:29 -05:00
Joe Grandja ff8002eb2e Polish gh-4557 2020-02-12 15:47:57 -05:00
Joe Grandja 8acdb82e6a OAuth2AuthorizationCodeGrantWebFilter matches on query parameters
Fixes gh-7966
2020-02-10 15:28:06 -05:00
Joe Grandja 0809c04aa2 OAuth2AuthorizationCodeGrantWebFilter matches on query parameters
Fixes gh-7966
2020-02-10 15:11:04 -05:00
Joe Grandja 6141132cfa Fix test gh-7963 2020-02-10 05:53:00 -05:00
Joe Grandja cc7ea4acd3 OAuth2AuthorizationCodeGrantFilter matches on query parameters
Fixes gh-7963
2020-02-10 05:24:14 -05:00
Joe Grandja 3c86239b39 OAuth2AuthorizationCodeGrantFilter matches on query parameters
Fixes gh-7963
2020-02-10 05:13:47 -05:00
Manuel Bleichenbacher 1e4736f9b3 Prevent double-escaping of authorize URL parameters
If the authorization URL in the OAuth2 provider configuration contained query parameters with escaped characters, these characters were escaped a second time. This commit fixes it.

It is relevant to support the OIDC claims parameter (see https://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter).

Fixes gh-7871
2020-02-08 16:59:01 -05:00
Manuel Bleichenbacher d3490b0f87 Prevent double-escaping of authorize URL parameters
If the authorization URL in the OAuth2 provider configuration contained query parameters with escaped characters, these characters were escaped a second time. This commit fixes it.

It is relevant to support the OIDC claims parameter (see https://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter).

Fixes gh-7871
2020-02-08 16:40:15 -05:00
Stephane Maldini 851be025e9 Don't force downcasting of RequestAttributes to ServletRequestAttributes
Fixes gh-7952
2020-02-07 20:44:19 -05:00
Stephane Maldini 0012e24c46 Don't force downcasting of RequestAttributes to ServletRequestAttributes
Fixes gh-7953
2020-02-07 20:18:50 -05:00
Josh Cummings a90e579350 Add JwtIssuerReactiveAuthenticationManagerResolver
Fixes gh-7857
2020-02-06 13:45:13 -07:00
Eleftheria Stein 84b8a5abd7 Unlock dependencies for next development version
This reverts commit 064616f1ef.
2020-02-05 15:53:04 +01:00
Josh Cummings c4ccc96655
Polish Error Messages for OpaqueTokenIntrospectors 2020-02-05 07:16:37 -07:00
Eleftheria Stein 064616f1ef Lock dependencies for 5.3.0.RC1 2020-02-05 10:20:05 +01:00
Josh Cummings 209c81d65d
Add BadOpaqueTokenException
Updated NimbusOpaqueTokenIntrospector and
NimbusReactiveOpaqueTokenIntrospector to throw.
Updated OpaqueTokenAuthenticationProvider and
OpaqueTokenReactiveAuthenticationManager to catch.

Fixes gh-7902
2020-02-04 17:33:08 -07:00
Josh Cummings 0c3754c811
Add BadJwtException
Updated NimbusJwtDecoder and NimbusReactiveJwtDecoder to throw.
Updated JwtAuthenticationProvider and JwtReactiveAuthenticationManager
to catch.

Fixes gh-7885
2020-02-04 17:33:08 -07:00
Josh Cummings fbdecdafb8
Add Mapping to Invalid Bearer Token
Fixes gh-7793
2020-02-04 17:33:08 -07:00
Joe Grandja 25d029b092 Fix test gh-7873 2020-02-04 12:00:55 -05:00
Joe Grandja 04f3fe8af9 Add Jackson support for oauth2-client session related classes
Fixes gh-4886
2020-02-04 09:01:12 -05:00
Josh Cummings 3e07b35611
Polish Bearer Token Error Handling
Issue gh-7822
Issue gh-7823
2020-02-03 17:54:39 -07:00
Josh Cummings 1b15f74f57
Add InvalidBearerTokenException
Fixes gh-7822
2020-02-03 17:54:39 -07:00
Josh Cummings 7b2fcd17f5
Add BearerTokenErrors
Fixes gh-7823
2020-02-03 17:54:33 -07:00
Josh Cummings 7550907e03
Polish OAuth2AccessTokenResponse converters
Since these converters no longer have a direct reference to the HTTP
stack, it would be better to move them into another package. Also, now
that the converters are public, we should follow the prevailing
converter naming convention, which is to call it STConverter for an
implementation of Converter<S, T>.
2020-01-30 16:42:44 -07:00
Nikita Konev 704f98688d
Make OAuth2AccessTokenResponse converters public 2020-01-30 16:42:44 -07:00
Phil Clay e5fca61810 Introduce Reactive OAuth2Authorization success/failure handlers
All ReactiveOAuth2AuthorizedClientManagers now have authorization success/failure handlers.
A success handler is provided to save authorized clients for future requests.
A failure handler is provided to remove previously saved authorized clients.

ServerOAuth2AuthorizedClientExchangeFilterFunction also makes use of a
failure handler in the case of unauthorized or forbidden http status code.

The main use cases now handled are
- remove authorized client when an authorization server indicates that a refresh token is no longer valid (when authorization server returns invalid_grant)
- remove authorized client when a resource server indicates that an access token is no longer valid (when resource server returns invalid_token)

Introduced ClientAuthorizationException to capture details needed when removing an authorized client.
All ReactiveOAuth2AccessTokenResponseClients now throw a ClientAuthorizationException on failures.

Created AbstractWebClientReactiveOAuth2AccessTokenResponseClient to unify common logic between all ReactiveOAuth2AccessTokenResponseClients.

Fixes gh-7699
2020-01-16 15:24:55 -05:00
Eleftheria Stein fcc6457bef Unlock dependencies for next development version
This reverts commit 93acf8f0f1.
2020-01-08 22:15:17 +01:00
Eleftheria Stein 93acf8f0f1 Lock dependencies for 5.3.0.M1 2020-01-08 19:41:10 +01:00
Josh Cummings de87675f6d Add JwtIssuerAuthenticationManagerResolver
Fixes gh-7724
2020-01-07 23:30:42 -07:00
Rob Winch 65981444f1 Use Version Ranges
Fixes gh-7788
2020-01-06 14:46:48 -06:00
Josh Cummings 02f161aba7
Use OidcIdToken.Builder
Issue gh-7592
2019-12-12 07:37:15 -07:00
Phil Clay 840d3aa986 Polish #7589
Rename OAuth2AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager to AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager.

Handle empty mono returned from contextAttributesMapper.

Handle empty map returned from contextAttributesMapper.

Fix DefaultContextAttributesMapper so that it doesn't access ServerWebExchange.

Fix unit tests so that they pass.

Use StepVerifier in unit tests, rather than .subscribe().

Fixes gh-7569
2019-12-10 14:37:34 -05:00
Ankur Pathak 4c5c4f6cce Reactive Implementation of AuthorizedClientServiceOAuth2AuthorizedClientManager
ReactiveOAuth2AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager is reactive
version of AuthorizedClientServiceOAuth2AuthorizedClientManager

Fixes: gh-7569
2019-12-10 14:37:25 -05:00