Commit Graph

527 Commits

Author SHA1 Message Date
Joe Grandja 952743269d Add support for client_credentials grant
Fixes gh-4982
2018-08-08 08:06:47 -05:00
Johnny Lim 3d1185df3b Add @Deprecation on removeAuthorizationRequest() (#5634) 2018-08-03 09:37:48 -04:00
Rob Winch 1a65abd781 Add defaultOAuth2AuthorizedClient flag
Fixes: gh-5619
2018-07-31 14:44:40 -05:00
Rob Winch 2cd2bab818 Use HttpHeaders.setBasicAuth
Issue: gh-5612
2018-07-30 15:34:48 -05:00
Rob Winch afa2d9cbc7 Remove ExchangeFilterFunctions
Issue: gh-5612
2018-07-30 15:34:44 -05:00
Rob Winch 262c1a77c6 Remove SecurityHeaders
We no longer need this since Spring Framework now provides
HttpHeaders.setBearerAuth

Issue: gh-5612
2018-07-30 15:34:40 -05:00
Joe Grandja b5abb99908 ClaimAccessor.getClaimAsString() checks null claim value
Fixes gh-5608
2018-07-30 15:31:41 -04:00
Joe Grandja e243f93eed Default to server_error when OAuth2Error.errorCode is null
Fixes gh-5594
2018-07-30 13:20:58 -04:00
Rob Winch aea861e2f9 Fix Imports
Issue: gh-5599
2018-07-30 12:15:53 -05:00
Rob Winch a01dc3a5f6 WebFlux Handles Undefined State Parameter
Currently if a state exists, but an undefined state parameter is provided
a NullPointerException occurs.

This commit handles the null value.

Fixes: gh-5599
2018-07-30 12:02:42 -05:00
Rob Winch 2056b3440f Add ServerBearerTokenAuthenticationConverter
Issue: gh-5605
2018-07-30 11:39:40 -05:00
Rob Winch 4f417f01a7 BearerTokenServerAuthenticationEntryPoint
Issue: gh-5605
2018-07-30 11:39:34 -05:00
Rob Winch da73242d60 Add JwtReactiveAuthenticationManager
Issue: gh-5605
2018-07-30 11:39:28 -05:00
Rob Winch b8308c9ae0 Extract JwtConverter
Issue: gh-5605
2018-07-30 11:37:56 -05:00
Rob Winch f3c9cce56d Rename to WebClientAuthorizationCodeTokenResponseClient
Rename NimbusReactiveAUthorizationCodeTokenResponseClient to
WebClientReactiveAuthorizationCodeTokenResponseClient

Fixes: gh-5529
2018-07-26 15:14:11 -05:00
Rob Winch 1c8a931e33 Rename to OidcAuthorizationCodeReactiveAuthenticationManager
Renamed OidcReactiveAuthenticationManager to
OidcAuthorizationCodeReactiveAuthenticationManager since it only handles
authorization code flow.

Fixes: gh-5530
2018-07-26 15:14:11 -05:00
Joe Grandja 2c1c2c78c3 Add HttpServletResponse param to removeAuthorizationRequest
Fixes gh-5313
2018-07-26 14:15:56 -04:00
Johnny Lim 887db71333 Fix typo (#5580) 2018-07-26 10:04:21 -04:00
mhyeon.lee ba29b363fc Fix OAuth2AuthorizationRequestRedirectWebFilter baseurl exclude querystring
To create redirect_uri in OAuth2AuthorizationRequestRedirectWebFilter,
queryParam is included in the current request-based baseUrl.
So when binding to the redirectUriTemplate,
the wrong type of redirect_uri may be created.

Fixed: gh-5520
2018-07-23 15:42:15 -04:00
Joe Grandja 36cbdfe013 Fix NPE when null Authentication in authorization_code grant
Fixes gh-5560
2018-07-23 12:28:48 -04:00
Rob Winch 88975dad41 ServletOAuth2AuthorizedClientExchangeFilterFunction handles null authorized client
Issue: gh-5545
2018-07-22 12:01:42 -07:00
Rob Winch 67dd3f16e9 Add static methods for ServletOAuth2AuthorizedClientExchangeFilterFunction
This will allow us to break up
ServletOAuth2AuthorizedClientExchangeFilterFunction into multiple
components if we decide to later.

Issue: gh-5545
2018-07-20 11:48:20 -05:00
Rob Winch 9ababf4168 Rename to ServerOAuth2AuthorizedClientExchangeFilterFunction
Rename OAuth2AuthorizedClientExchangeFilterFunction to
ServerOAuth2AuthorizedClientExchangeFilterFunction->

Issue: gh-5386
2018-07-20 11:48:19 -05:00
Rob Winch 1b79bbed7f Add ServletOAuth2AuthorizedClientExchangeFilterFunction
Fixes: gh-5545
2018-07-20 11:48:19 -05:00
mhyeon.lee 3c461b704c Add AuthenticationMethod type
This section defines three methods of sending bearer access tokens
in resource requests to resource servers.
Clients MUST NOT use more than
one method to transmit the token in each request.

RFC6750 Section 2 Authenticated Requests
https://tools.ietf.org/html/rfc6750#section-2

Add AuthenticationMethod in ClientRegistration UserInfoEndpoint.

Add AuthenticationMethod for OAuth2UserService to get User.

To support the use of the POST method.
https://tools.ietf.org/html/rfc6750#section-2.2

gh-5500
2018-07-20 11:32:51 -04:00
Joe Grandja 9a144d742e Use OAuth2AuthorizedClientRepository in filters and resolver
Fixes gh-5544
2018-07-19 22:57:10 -04:00
mhyeon.lee 3f8e69211f Fix OAuth2 ClientRegistration scope can be null
Allows scope of OAuth2 ClientRegistration to be null.

- The scope setting in the RFC document is defined as Optional.
https://tools.ietf.org/html/rfc6749#section-4.1.1

    > scope:  OPTIONAL.
    > The scope of the access request as described by Section 3.3.

- When the client omits the scope parameter,
validation is determined by the authorization server.
https://tools.ietf.org/html/rfc6749#section-3.3

    > If the client omits the scope parameter when requesting
   authorization, the authorization server MUST either process the
   request using a pre-defined default value or fail the request
   indicating an invalid scope.  The authorization server SHOULD
   document its scope requirements and default value (if defined).

Fixes gh-5494
2018-07-18 16:17:14 -04:00
mhyeon.lee 191a4760f9 Fix DefaultOAuth2AuthorizationRequestResolver baseUrl excludes queryParams
To create redirect_uri in DefaultOAuth2AuthorizationRequestResolver,
queryParam is included in the current request-based baseUrl.
So when binding to the redirectUriTemplate,
the wrong type of redirect_uri may be created.

Fixes gh-5520
2018-07-17 12:00:01 -04:00
Rob Winch 981d35a92c Add ClientRegistration.Builder.registrationId
Fixes: gh-5527
2018-07-17 01:27:39 -05:00
Josh Cummings becff23df1
Reliable Error State Tests - Nimbus
A test against the Nimbus library was relying on specific messaging
from Nimbus as well as the JDK, making it brittle.

Now, it simply relies on the messaging that we control.

Issue: gh-4887
2018-07-16 14:46:42 -06:00
Rob Winch d595098823 Rename @TransientAuthentication to @Transient
It is quite likely we will need to prevent certain Exceptions from being
saved or from triggering a saved request. When we add support for this,
we can now leverage @Transient vs creating a new annotation.

Issue: gh-5481
2018-07-16 11:31:10 -05:00
Josh Cummings 40ccdb93f7 Resource Server Jwt Support
Introducing initial support for Jwt-Encoded Bearer Token authorization
with remote JWK set signature verification.

High-level features include:

- Accepting bearer tokens as headers and form or query parameters
- Verifying signatures from a remote Jwk set

And:

- A DSL for easy configuration
- A sample to demonstrate usage

Fixes: gh-5128
Fixes: gh-5125
Fixes: gh-5121
Fixes: gh-5130
Fixes: gh-5226
Fixes: gh-5237
2018-07-16 10:40:46 -05:00
Josh Cummings 6e67c0dcea Remap Nimbus JSON Parsing Errors
When Nimbus fails to parse either a JWK response or a JWT response,
the error message contains information that either should or cannot be
included in a Bearer Token response.

For example, if the response from a JWK endpoint is invalid JSON, then
Nimbus will send the entire response from the authentication server in
the resulting exception message.

This commit captures these exceptions and removes the parsing detail,
replacing it with more generic information about the nature of the
error.

Fixes: gh-5517
2018-07-16 10:40:46 -05:00
Joe Grandja 371221d729 Support anonymous Principal for OAuth2AuthorizedClient
Fixes gh-5064
2018-07-16 10:15:41 -05:00
Joe Grandja 779597af2a Add support for custom authorization request parameters
Fixes gh-4911
2018-07-16 09:39:06 -05:00
mhyeon.lee 1d920680bf Enhance OAuth2AccessToken to be serializable
Change the TokenType to Serializable
so that the OAuth2AccessToken can be serialized.
(org.springframework.security.oauth2.core.OAuth2AccessToken.TokenType)

Fixes gh-5492
2018-07-13 11:36:11 -04:00
Rob Winch a5ae714ed5 NimbusReactiveJwtDecoder propagates errors looking up keys
Fixes: gh-5490
2018-07-06 16:39:59 -05:00
Josh Cummings 998d1a064b Close Nimbus Information Leak
This commit captures and remaps the exception that Nimbus throws
when a PlainJWT is presented to it.

While the surrounding classes are likely only used today by the
oauth2Login flow, since they are public, we'll patch them at this
point for anyone who may be using them directly.

Fixes: gh-5457
2018-07-03 10:28:31 -05:00
Rob Winch f7dc76de5f Fix OAuth2BodyExtractorsTests for JDK9
Issue: gh-5475
2018-07-02 16:29:07 -05:00
Rob Winch ba489af354 Fix OAuth2AuthorizedClientExchangeFilterFunctionTests on JDK9
Issue: gh-4371
2018-07-02 16:16:16 -05:00
Rob Winch 127a32bd81 Fix checkstyle OAuth2AuthorizedClientExchangeFilterFunctionTests
Issue: gh-4371
2018-07-02 15:47:24 -05:00
Rob Winch 73689ecfd7 Fix Imports of OAuth2AccessTokenResponse
Issue: gh-5474
2018-07-02 15:46:33 -05:00
Rob Winch 0116c65c0e OAuth2AuthorizedClientExchangeFilterFunction Refresh Support 2018-07-02 14:14:17 -05:00
Rob Winch 1f1fb1a801 Add MockExchangeFunction getResponse
This allows setting up the mock

Issue: gh-5386
2018-07-02 12:43:00 -05:00
Rob Winch 0910e04bdf MockExchangeFunction Support Multiple Requests
Issue: gh-5386
2018-07-02 12:42:54 -05:00
Rob Winch e27e1cd637 Add OAuth2AccessTokenResponseBodyExtractor
This externalizes converting a OAuth2AccessTokenResponse from a
ReactiveHttpInputMessage.

Fixes: gh-5475
2018-07-02 12:41:44 -05:00
Rob Winch ab61732e17 Add OAuth2AccessTokenResponse.withResponse
Add ability to build a new OAuth2AccessTokenResponse from another
OAuth2AccessTokenResponse.

Fixes: gh-5474
2018-07-02 12:37:45 -05:00
Josh Cummings d7ebe5be86
Rename createJwkSet method typo
Actually, it is creating a claims set, just a typo.

Issue: gh-5330
2018-06-28 11:31:21 -06:00
Rob Winch 8ef4a5ba92 Add NimbusReactiveJwtDecoder RSAPublicKey Support
Fixes: gh-5460
2018-06-25 21:30:49 -05:00
Joe Grandja d32aa3c6d6 Validate sub claim in UserInfo Response
Fixes gh-5447
2018-06-25 16:44:04 -04:00
Rob Winch 81350ca3c3 Add NimbusJwkReactiveJwtDecoderTests
Issue: gh-5330
2018-06-25 12:13:08 -05:00
Rob Winch 7b406e89e4 Fixes in decoder 2018-06-25 10:08:13 -05:00
Rob Winch a5f7713d9f adding a test 2018-06-25 10:03:53 -05:00
Rob Winch d521d5e066 Add OidcReactiveAuthenticationManager
Fixes: gh-5330
2018-06-18 16:08:07 -05:00
Rob Winch f7a2a41241 Add OidcReactiveOAuth2UserService
Issue: gh-5330
2018-06-18 16:08:07 -05:00
Rob Winch 5ed319b11a Add NimbusReactiveJwtDecoder
Issue: gh-5330
2018-06-18 16:08:07 -05:00
Rob Winch 0d23aad911 Add ReactiveRemoteJWKSource
Issue: gh-5330
2018-06-18 16:08:07 -05:00
Rob Winch 7898ce2ded Add JWKContextJWKSource
Issue: gh-5330
2018-06-18 16:08:07 -05:00
Rob Winch aa0ea4a8eb Add JWKContext
Issue: gh-5330
2018-06-18 16:06:32 -05:00
Rob Winch 923e23d05b Add JWKSelectorFactory
Issue: gh-5330
2018-06-18 16:06:26 -05:00
Rob Winch 3ddde473f2 Extract OidcTokenValidator
Issue: gh-5330
2018-06-18 16:06:19 -05:00
Rob Winch adb8c60173 Extract OidcUserRequestUtils
This logic is shared by both reactive and non-reactive clients.

Issue: gh-5330
2018-06-18 16:06:01 -05:00
Rob Winch a3db6fc993 Polish OidcUserService
Fixes: gh-5449
2018-06-18 16:03:41 -05:00
Joe Grandja 02d29887fb Associate Refresh Token to OAuth2AuthorizedClient
Fixes gh-5416
2018-06-12 11:31:43 -04:00
Joe Grandja 4fc6d96073 Rename @OAuth2Client to @RegisteredOAuth2AuthorizedClient
Fixes gh-5360
2018-06-08 17:33:21 -04:00
Rob Winch dd1b1b9cc3 Use Spring Framework 5.1.0 SNAPSHOT
Fixes: gh-5408
2018-06-05 12:28:51 -05:00
Joe Grandja fe979aa996 OidcUserService leverages DefaultOAuth2UserService
Fixes gh-5390
2018-05-31 16:17:47 -04:00
Joe Grandja 82e4abdd32 OAuth2ClientArgumentResolver uses AnnotatedElementUtils
Fixes gh-5335
2018-05-29 21:29:33 -04:00
Joe Grandja 32c33d1def Add OAuth2AuthenticationException constructor that takes only OAuth2Error
Fixes gh-5374
2018-05-29 21:10:34 -04:00
Rob Winch b3ca598679 Add WebClient Bearer token support
Fixes: gh-5389
2018-05-25 15:17:08 -05:00
Rob Winch c68cf991ae Add OAuth2AuthorizedClientExchangeFilterFunction
Fixes: gh-5386
2018-05-25 11:01:55 -05:00
Rob Winch 2658577396 OAuth2AuthorizationRequestRedirectWebFilter handles ClientAuthorizationRequiredException
Fixes: gh-5383
2018-05-24 16:40:41 -05:00
Rob Winch 0eedfc717a Revert "Revert "Add ClientRegistration from OpenID Connect Discovery""
This reverts commit 9fe0f50e3c.

The original commit was accidentally pushed prior to PR. We attempted
to revert the commit hoping the PR would open again. This did not work.
We are going to do a Polish commit instead.

Issue: gh-5355
2018-05-18 09:40:43 -05:00
Rob Winch 9fe0f50e3c Revert "Add ClientRegistration from OpenID Connect Discovery"
This reverts commit 0598d47732.
2018-05-18 09:20:51 -05:00
Rob Winch 0598d47732 Add ClientRegistration from OpenID Connect Discovery
Fixes: gh-4413
2018-05-16 12:30:04 -05:00
Rob Winch 7013c6fd76 Add OAuth2LoginSpec
Issue: gh-4807
2018-05-11 04:19:50 -05:00
Rob Winch 23f4b9d3d1 Add OAuth2AuthorizationRequestRedirectWebFilter
Issue: gh-4807
2018-05-11 04:19:50 -05:00
Rob Winch de959dbff6 Add OAuth2ClientArgumentResolver
Issue: gh-4807
2018-05-11 04:19:50 -05:00
Rob Winch c1e9785a48 Add OAuth2LoginReactiveAuthenticationManager
Issue: gh-4807
2018-05-11 04:19:50 -05:00
Rob Winch 7401cb2b51 Add ServerOAuth2LoginAuthenticationTokenConverter
Issue: gh-4807
2018-05-11 04:19:50 -05:00
Rob Winch 3cd2ddf793 Add NimbusReactiveAuthorizationCodeTokenResponseClient
Issue: gh-4807
2018-05-11 04:19:50 -05:00
Rob Winch 3220e9560a Add DefaultReactiveOAuth2UserService
Issue: gh-4807
2018-05-11 04:19:50 -05:00
Rob Winch b613b2d253 Add WebSessionOAuth2ReactiveAuthorizationRequestRepository
Issue: gh-4807
2018-05-11 04:19:50 -05:00
Rob Winch 5e9c714ff0 Add InMemoryReactiveOAuth2AuthorizedClientService
Issue: gh-4807
2018-05-11 04:19:50 -05:00
Rob Winch a02b0c17f8 Add InMemoryReactiveClientRegistrationRepository
Issue: gh-4807
2018-05-11 04:19:50 -05:00
Rob Winch c696640276 OAuth2AuthorizationResponseUtils uses MultiMap
Fixes: gh-5331
2018-05-11 04:19:50 -05:00
Joe Grandja fff64db0e2 Improve ClaimAccessor getClaimAsInstant
Fixes gh-5250
2018-05-03 21:03:45 -04:00
Joe Grandja 2356749cc3 Add test NimbusUserInfoResponseClient sets Accept header to JSON
Issue gh-5294
2018-05-03 20:18:41 -04:00
Joe Grandja b8f225c49e NimbusUserInfoResponseClient sets Accept header to JSON
Fixes gh-5294
2018-05-03 16:34:38 -04:00
Joe Grandja 4cc5705ae5 HttpSessionOAuth2AuthorizationRequestRepository removes empty Map from session
Fixes gh-5263
2018-05-02 11:07:26 -04:00
Joe Grandja 49b63e260d OAuth2LoginAuthenticationFilter should handle null ClientRegistration
Fixes gh-5251
2018-05-02 09:16:42 -04:00
Joe Grandja 6095340e93 OAuth2AuthorizationRequestRedirectFilter -> Reuse code for baseUrl
Fixes gh-5153
2018-04-09 21:11:00 -04:00
Joe Grandja d8f91e4261 Fix NPE with exp claim in NimbusJwtDecoderJwkSupport
Fixes gh-5168
2018-04-04 07:58:32 -04:00
Joe Grandja 2bd31c96ed ClaimAccessor.getClaimAsInstant() converts Long or Date
Fixes gh-5191, Fixes gh-5192
2018-04-03 21:14:25 -04:00
Joe Grandja 526e0fdd4f Add OAuth2 Client HandlerMethodArgumentResolver
Fixes gh-4651
2018-04-02 12:13:52 -04:00
Joe Grandja 982fc360b2 Add support for authorization_code grant
Fixes gh-4928
2018-04-02 12:13:06 -04:00
Joe Grandja ce2f669245 Remove state assertion when loading OAuth2AuthorizationRequest
Fixes gh-5163
2018-03-27 20:06:30 -04:00
Christoph Dreis d07cfe655d Use Supplier variants of Assert methods 2018-03-27 10:58:55 -05:00
Joe Grandja bb15213091 Ensure consistency by using Collection<GrantedAuthority> type
Fixes gh-5143
2018-03-21 10:35:18 -04:00
Joe Grandja 90f9d728cd Allow extension for OAuth2Error
Fixes gh-5148
2018-03-21 10:04:57 -04:00
Rob Winch bf41d48718 HttpSessionOAuth2AuthorizationRequestRepository support distributed HttpSession
Previously HttpSessionOAuth2AuthorizationRequestRepository
getAuthorizationRequest attempted to update the state of HttpSession as
well as getting the Map of OAuth2AuthorizationRequest. This had a few
problems

- First it was confusing that a get method updated state
- It worked when the session was in memory, but would not work when the
  HttpSesson was persisted to an external store (i.e. Spring Session) since
  after updating the Map, there was no invocation to update

This commit cleans up the logic and ensures that the values are explicitly
set in the HttpSession so it works with a session persisted in an external
store.

Fixes: gh-5146
2018-03-20 22:14:48 -05:00
Rob Winch 04e2e86e6e Polish HttpSessionOAuth2AuthorizationRequestRepositoryTests
Fixes: gh-5147
2018-03-20 22:14:48 -05:00
Joe Grandja 59cef7d339 HttpSessionOAuth2AuthorizationRequestRepository handle multiple OAuth2AuthorizationRequest per session
Fixes gh-5110
2018-03-20 22:14:48 -05:00
Joe Grandja a5bd76b6ed Revert authorization_code grant support
This reverts commit eae7afd9aa.
2018-03-06 16:16:45 -05:00
Joe Grandja eae7afd9aa Add support for authorization_code grant
Fixes gh-4928
2018-03-02 14:30:49 -05:00
Joe Grandja 7eb58ee7d9 DefaultOAuth2UserService -> assert UserInfo Uri is set
Fixes gh-4992
2018-02-02 13:01:18 -05:00
Joe Grandja 6b24aaf6f5 Add javadoc for spring-security-oauth2-jose
Fixes gh-4885
2018-01-23 21:27:47 -05:00
Joe Grandja fe2ac00deb Add javadoc for spring-security-oauth2-client
Fixes gh-4884
2018-01-23 17:07:21 -05:00
Joe Grandja e6cac604f3 Add javadoc for spring-security-oauth2-core
Fixes gh-4883
2018-01-18 16:00:26 -05:00
Joe Grandja 1d32fffc1d Make OAuth2Error Serializable
Fixes gh-4944
2018-01-10 10:40:54 -05:00
Johnny Lim 57353d18e5 Use diamond type 2017-12-21 15:09:00 -06:00
Eddú Meléndez c16456623f Remove unused imports 2017-12-20 16:05:38 -06:00
Joe Grandja 268a1dc06e DefaultOAuth2User is Serializable
Fixes gh-4917
2017-12-19 09:07:17 -05:00
Rob Winch ae664c33b1 Polish
Fix compile warnings in ClientRegistrationTests
2017-11-27 12:12:59 -06:00
Johnny Lim edccafca84 Create OAuth2AuthorizationResponse lazily
This commit creates `OAuth2AuthorizationResponse` as lazily as possible to prevent the creation when `authorizationRequest` is `null`.

Fixes gh-4848
2017-11-20 11:01:34 -05:00
Joe Grandja c04b3b4114 Exclude well-known ports in expanded redirect-uri
Fixes gh-4836
2017-11-18 10:41:27 -05:00
Johnny Lim b6895e6359 Apply Checkstyle WhitespaceAfterCheck module 2017-11-16 11:18:31 -06:00
Joe Grandja dd33f0a7de ClientRegistration.redirectUri -> redirectUriTemplate
Fixes gh-4827
2017-11-15 14:51:35 -05:00
Joe Grandja e098c3707e Update default redirect-uri to use 'baseUrl' template variable
Fixes gh-4826
2017-11-15 14:51:35 -05:00
Johnny Lim d900f2a623 Remove unused imports
This commit also adds UnusedImportsCheck Checkstyle module.
2017-11-14 14:41:08 -06:00
Joe Grandja 872a8f3189 Change constructor param order in oauth2 client filters
Fixes gh-4818
2017-11-13 17:32:22 -05:00
Joe Grandja 426c034c01 OidcUserService uses custom userNameAttributeName
Fixes gh-4812
2017-11-12 14:44:57 -05:00
Joe Grandja 6775d9fdd8 OAuth2AccessTokenResponse should account for expires_in <= 0
Fixes gh-4810
2017-11-12 11:30:11 -05:00
Joe Grandja 63e2db72ea Add tests to oauth2-jose
Fixes gh-4806
2017-11-10 17:09:48 -05:00
Joe Grandja 473ac0e37c Add tests to oauth2-client
Fixes gh-4299
2017-11-10 16:03:34 -05:00
Joe Grandja db35dc6c03 Add tests to oauth2-core
Fixes gh-4298
2017-11-06 11:39:17 -05:00
Joe Grandja ef9cd76607 Polish oauth2
Fixes gh-4758
2017-10-30 16:49:01 -04:00
Joe Grandja d435f149eb Polish spring-security-oauth2-jose
Fixes gh-4755
2017-10-30 13:09:40 -04:00
Joe Grandja 511d702ee0 Remove JwtDecoderRegistry
Fixes gh-4754
2017-10-30 12:52:42 -04:00
Rob Winch d9584384c4 Move collectClaims to OidcUserAuthority
Fixes gh-4749
2017-10-29 20:41:05 -05:00
Rob Winch 3d065b5afd Add getIdToken getUser to OidcUser
Fixes gh-4748
2017-10-29 20:10:55 -05:00
Rob Winch c1c726f123 Polish InMemoryClientRegistrationRepository
Issue: gh-4745
2017-10-29 20:03:36 -05:00
Rob Winch a3e38fec47 Remove AuthorizationRequestUriBuilder
Make this API private since we don't have concrete use cases for exposing
it yet.

Fixes gh-4742
2017-10-29 19:50:02 -05:00
Joe Grandja c3d2effc1d Polish OAuth2AuthorizedClientService
Fixes gh-4746
2017-10-29 20:25:03 -04:00
Joe Grandja b496ad4d86 Polish OAuth2LoginAuthenticationToken
Fixes gh-4744
2017-10-29 19:21:41 -04:00
Rob Winch 8032baa296 Polish InMemoryClientRegistrationRepository
- use Map.get
- Construct with stream()
- Add tests
- Remove unnecessary unmodifiableCollection (already unmodifiable)

Fixes gh-4745
2017-10-29 18:07:49 -05:00
Rob Winch f0c2944377 OAuth2AuthorizationResponse getAccessToken
No longer delegate to OAuth2AccessToken but add getAccessToken()

Fixes gh-4743
2017-10-29 17:12:46 -05:00
Joe Grandja e4887057bc Rename AuthorizationGrantTokenExchanger -> OAuth2AccessTokenResponseClient
Fixes gh-4741
2017-10-29 17:49:15 -04:00
Joe Grandja 2a00232a5b Remove UserInfoRetreiver
Fixes gh-4740
2017-10-29 17:49:15 -04:00
Joe Grandja 6fbd435bdf OAuth2LoginAuthenticationFilter requires collaborators
Fixes gh-4661
2017-10-29 04:41:23 -04:00
Joe Grandja b471dd1c54 Remove OAuth2TokenRepository
Fixes gh-4727
2017-10-28 21:40:33 -04:00
Joe Grandja b1d56b5821 NimbusAuthorizationCodeTokenExchanger uses authorizationRequest.redirectUri
Fixes gh-4701
2017-10-28 21:30:40 -04:00
Joe Grandja 006319f19a UserInfoRetriever supports ParameterizedTypeReference
Fixes gh-4693
2017-10-28 19:26:04 -04:00
Joe Grandja 9dc4aa6c81 Make OidcUserInfo Serializable
Fixes gh-4733
2017-10-28 18:35:21 -04:00
Joe Grandja 83dc902ff7 Map CustomUserTypesOAuth2UserService using clientRegistrationId
Fixes gh-4692
2017-10-28 18:11:39 -04:00
Joe Grandja 0c68eb1821 Re-factor OAuth2AuthorizationCodeAuthenticationToken
Fixes gh-4730
2017-10-28 17:15:31 -04:00
Joe Grandja 64d8c8b8a9 Re-factor AuthorizationGrantTokenExchanger
Fixes gh-4728
2017-10-28 17:12:14 -04:00
Joe Grandja 16e69d06b4 Add OAuth2AuthorizedClientService
Fixes gh-4726
2017-10-28 17:12:14 -04:00
Sola f0b0cfc4fd Ensure Copyright header reads 2002-2017
fixes gh-4655

Signed-off-by: Sola <dev@sola.love>
2017-10-28 13:02:06 -05:00
Joe Grandja 67bac28481 OAuth2UserService uses OAuth2UserRequest
Fixes gh-4724
2017-10-27 22:34:25 -04:00
Joe Grandja 3d319f7592 Make AuthorizationRequestRepository a Generic
Fixes gh-4723
2017-10-27 21:31:45 -04:00
Joe Grandja 9afefef3b9 Polish class names in oauth2-client
Fixes gh-4722
2017-10-27 21:00:52 -04:00
Joe Grandja 34668e05af Polish class names in oauth2-core
Fixes gh-4720
2017-10-27 20:42:58 -04:00
Joe Grandja 8527daa22a Make OAuth2UserService Generic using OAuth2AuthorizedClient and OAuth2User types
Fixes gh-4706
2017-10-27 11:49:29 -04:00
Joe Grandja 3b80b6ded8 Move AuthorizationRequestUriBuilder to oauth2-client
Fixes gh-4703
2017-10-26 21:23:06 -04:00
Joe Grandja ef197d8215 Move JwtDecoderRegistry to oauth2.client.jwt package
Fixes gh-4705
2017-10-26 21:06:28 -04:00
Joe Grandja 70543dcb30 Move oidc package in oauth2-core and oauth2-client
Fixes gh-4710
2017-10-26 21:06:28 -04:00
Joe Grandja c5da9e08fd Move AuthorizedClient to root package oauth2.client
Fixes gh-4709
2017-10-26 15:51:26 -04:00
Joe Grandja ef83bc8dd7 Move package client.authentication.userinfo -> client.userinfo
Fixes gh-4708
2017-10-26 15:39:04 -04:00
Joe Grandja 35fb96a2f8 Move OAuth2AuthenticationException to oauth2-core
Fixes gh-4707
2017-10-26 15:12:03 -04:00
Joe Grandja 027ea78dab Revert "Move OAuth2LoginAuthenticationProvider into userinfo package"
This reverts commit 54547f35b7.
2017-10-26 14:55:25 -04:00
Joe Grandja 942b647c0d OAuth2LoginAuthenticationFilter processes uri /login/oauth2/code/*
Issue gh-4687
2017-10-26 14:20:19 -04:00
Rob Winch 54547f35b7 Move OAuth2LoginAuthenticationProvider into userinfo package
Fix package tangles. OAuth2LoginAuthenticationProvider requires
OAuth2UserService which is in a child package. We should move
OAuth2LoginAuthenticationProvider to the same package.

Issue: gh-4614
2017-10-26 11:22:21 -05:00
Joe Grandja 18dd49b47c Validate ID Token
Fixes gh-4440
2017-10-26 11:36:44 -04:00
Joe Grandja d0a4e49870 Map custom OAuth2User types using String
Fixes gh-4691
2017-10-25 17:13:44 -04:00
Joe Grandja 1a3b9c1f3f Polish UserInfoRetriever
Issue gh-4695
2017-10-25 16:48:50 -04:00
Joe Grandja 43d201fa3e Move OAuth2AuthenticationToken
Fixes gh-4697
2017-10-25 16:17:49 -04:00
Joe Grandja 9fbea5a11e Refactor SecurityTokenRepository
Fixes gh-4650
2017-10-25 16:00:34 -04:00
Joe Grandja 5237c6e01b Remove AuthorizedClient.getAuthorizedScopes()
Fixes gh-4696
2017-10-25 14:06:34 -04:00
Joe Grandja 5a584e5ccb Rename OAuth2/OIDC ClientAuthenticationToken -> AuthorizedClient
Fixes gh-4695
2017-10-25 13:47:00 -04:00
Joe Grandja 9b670882b7 Rename SecurityToken -> AbstractOAuth2Token
Fixes gh-4646
2017-10-25 10:29:34 -04:00
Rob Winch 1bd826897f UserInfoRetriever.retrieve accepts the type to convert
Fixes gh-4688
2017-10-24 15:14:58 -05:00
Joe Grandja 4dbbcabacf Rename AuthorizationCodeAuthenticationProvider -> OAuth2LoginAuthenticationProvider
Fixes gh-4690
2017-10-24 15:24:26 -04:00
Joe Grandja 049080290e Refactor OAuth2 AuthenticationProvider's
Fixes gh-4689
2017-10-24 15:24:26 -04:00
Joe Grandja 0fb32a052e OAuth2LoginAuthenticationFilter processes uri /login/oauth2/*
Fixes gh-4687
2017-10-24 15:24:26 -04:00
Joe Grandja 4ae24f2fbe Rename AuthorizationCodeAuthenticationFilter -> OAuth2LoginAuthenticationFilter
Fixes gh-4686
2017-10-24 15:24:25 -04:00
Joe Grandja 8e7838fa64 Verify UserInfo Response sub claim
Fixes gh-4441
2017-10-23 11:44:29 -04:00
Joe Grandja ff0009daed Add AuthorizationRequest.Builder.scope(String...)
Fixes gh-4643
2017-10-23 11:20:15 -04:00
Joe Grandja 8a416793aa Return AuthorizationRequest from AuthorizationRequestRepository.removeAuthorizationRequest
Fixes gh-4652
2017-10-23 11:02:17 -04:00
Joe Grandja 6d7d34c549 Move AuthorizationRequestUriBuilder and DefaultAuthorizationRequestUriBuilder
Fixes gh-4658
2017-10-23 10:19:31 -04:00
Joe Grandja f0c9f85292 spring-security-jwt-jose -> spring-security-oauth2-jose
Fixes gh-4595
2017-10-23 09:04:01 -04:00
Joe Grandja c94b3f4d23 Add AuthorizationExchange
Fixes gh-4660
2017-10-20 20:59:32 -04:00
Joe Grandja eb2b573426 Validate Authorization Response
Fixes gh-4657, Issue gh-4654
2017-10-20 20:59:32 -04:00
Joe Grandja 8e3a2a7123 Remove AuthorizationCodeAuthenticationFilter.AuthorizationResponseMatcher
Fixes gh-4654
2017-10-20 06:09:31 -04:00
Joe Grandja 84a1c417a3 Extract Converter from AuthorizationResponseMatcher
Fixes gh-4653
2017-10-20 04:56:07 -04:00
Joe Grandja d4dac21ca5 Make ClientRegistration.Builder constructor private
Fixes gh-4656
2017-10-19 14:15:59 -04:00
Joe Grandja a980e3b0d7 Remove ClientRegistrationIdentifierStrategy
Fixes gh-4648
2017-10-19 13:40:06 -04:00
Joe Grandja f3756cdd07 Remove ClientRegistrationProperties
Fixes gh-4649
2017-10-19 13:27:54 -04:00
Joe Grandja 1f5edc98d5 ClientRegistration.Builder.scopes -> scope
Fixes gh-4663
2017-10-19 11:24:01 -04:00
Joe Grandja 1e891b38ab Rename scope -> scopes for Set types
Fixes gh-4644
2017-10-18 17:56:39 -04:00
Joe Grandja a77bdb0c5d Make AuthorizationRequest serializable
Fixes gh-4627
2017-10-18 15:55:37 -04:00
Rob Winch d7d6400971 DefaultStateGenerator->Base64StringKeyGenerator
Rename and move DefaultStateGenerator since it is more generic than just
OAuth.

Fixes gh-4645
2017-10-18 11:29:04 -05:00
Rob Winch d554b06a43 OAuth use ConcurrentHashMap
Fixes gh-4647
2017-10-17 22:17:09 -05:00
Rob Winch b764c666c6 Fix jwt package tangles
JWT is part of OAuth2, so it should be a subpackage of oauth2.

Fixes gh-4614
2017-10-17 21:06:27 -05:00
Rob Winch c5abcd1fcd DefaultAuthorizationRequestUriBuilder uses StringUtils
Fixes gh-4642
2017-10-17 20:24:43 -05:00
Joe Grandja 7b8d131386 Fix package tangles -> OAuth2/Oidc AuthenticationProvider's
Fixes gh-4614
2017-10-16 20:56:32 -04:00
Johnny Lim 25052214ae Polish 2017-10-16 18:33:27 -05:00
Joe Grandja a7d054c9f3 Remove AuthorizationGrantAuthenticator 2017-10-16 13:43:11 -04:00
Joe Grandja 3c824dc44b Fix package tangles -> OAuth2UserService
Fixes gh-4614
2017-10-13 18:59:41 -04:00
Joe Grandja cfa4858b04 Fix package tangles -> AuthorizationGrantTokenExchanger
Fixes gh-4614
2017-10-13 16:35:48 -04:00
Joe Grandja ea64d10d95 Polish jwt-jose 2017-10-13 07:09:00 -04:00
Joe Grandja c441f99567 Polish oauth2-client 2017-10-13 07:09:00 -04:00
Joe Grandja d4d7199a6d Polish oauth2-core 2017-10-13 07:09:00 -04:00
Joe Grandja df474e04d8 Move logic from AuthorizationCodeAuthenticationFilter to OAuth2UserAuthenticationProvider 2017-10-11 17:39:21 -04:00
Joe Grandja ca5b62abb5 Move AuthorizationResponseConverter logic to AuthorizationCodeAuthenticationFilter 2017-10-11 17:39:21 -04:00
Joe Grandja d840090cb0 Add support for implicit grant type
Fixes gh-4500
2017-10-11 13:54:59 -04:00
Joe Grandja 401c84b3f2 Externalize error codes from OAuth2Error
Fixes gh-4606
2017-10-10 20:24:33 -04:00
Joe Grandja da0a7afa38 Polish AuthorizationCodeAuthenticationFilter
Fixes gh-4599
2017-10-10 14:39:47 -04:00
Joe Grandja efa4bf409c Remove AuthorizationCodeRequestRedirectFilter. setAuthorizationRequestMatcher 2017-10-10 14:38:06 -04:00
Joe Grandja 6b16fa0d8c Polish OAuth Security Configurers 2017-10-10 14:38:06 -04:00
Joe Grandja 97c938e7f3 Extract authentication logic from AuthorizationCodeAuthenticationFilter
Fixes gh-4590
2017-10-10 14:38:06 -04:00
Joe Grandja 5811624bbe Polish endpoint package
* Remove ErrorResponseAttributes
* Rename AuthorizationRequestAttributes -> AuthorizationRequest
* Remove AuthorizationCodeTokenRequestAttributes
* Rename TokenResponseAttributes -> TokenResponse

Issue gh-4593
2017-10-06 18:51:24 -04:00
Joe Grandja ce142e50b6 Rename AuthorizationCodeAuthorizationResponseAttributes -> AuthorizationResponse
Fixes gh-4593
2017-10-06 18:51:24 -04:00
Joe Grandja eca2b67137 ClientRegistration supports 'baseUrl' uri variable
Fixes gh-4589
2017-10-05 20:35:51 -04:00
Joe Grandja dec0bce100 Remove authorities -> AuthorizationGrantAuthenticationToken constructor
Fixes gh-4602
2017-10-05 20:22:50 -04:00
Joe Grandja 1b7e761be4 Remove SecurityTokenRepository from AuthorizationCodeAuthenticationProvider constructor
Fixes gh-4591
2017-10-05 17:05:56 -04:00
Joe Grandja eb320bfed4 AuthorizationCodeAuthenticationProcessingFilter -> AuthorizationCodeAuthenticationFilter 2017-10-05 16:40:12 -04:00
Joe Grandja 5c14e48b18 Add OAuth2UserAuthenticationProvider
Moved logic from AuthorizationCodeAuthenticationProvider
to OAuth2UserAuthenticationProvider (new) related to
loading user attributes via OAuth2UserService.

This re-factor is part of the work required for Issue gh-4513
2017-10-05 15:15:35 -04:00
Joe Grandja f8a9077d5a Generalize AuthorizationCodeAuthenticationProvider
The AuthorizationCodeAuthenticationProvider implements part of the
Authorization Code Grant flow as defined in
OAuth 2.0 Authorization Framework and OpenID Connect Core 1.0.
The implementation needs to be de-coupled to allow for better re-use and readability.
This commit introduces the AuthorizationGrantAuthenticator and extracts logic from
AuthorizationCodeAuthenticationProvider and provides different implementations
for OAuth 2.0 and OpenID Connect 1.0.

This re-factor is part of the work required for Issue gh-4513
2017-10-05 05:02:22 -04:00
Joe Grandja 0d516ca32c Rename scopes -> scope 2017-10-02 15:50:16 -04:00
Joe Grandja fb57111ecd redirect-uri property supports 'baseRedirectUrl' uri variable
Fixes gh-4589
2017-10-02 15:29:03 -04:00
Joe Grandja 66647070ab Default login page supports Iterable<ClientRegistration>
Fixes gh-4596
2017-09-29 19:54:17 -04:00
Joe Grandja ad91adf9dc Retrieving the UserInfo is conditional
Fixes gh-4451
2017-09-29 10:51:16 -04:00
Rob Winch 646b3e48b3 Avoid Exception Message in HTTP Response
Fixes gh-4587
2017-09-28 17:24:49 -05:00
Joe Grandja b9258aa6ee Make AuthorizationRequestUriBuilder optional
Fixes gh-4577
2017-09-28 16:43:11 -04:00
Joe Grandja bfb77a7804 Remove unnecessary dependencies 2017-09-28 15:42:12 -04:00
Joe Grandja 9a8ddebc94 Use param matching for Authorization Response
Fixes gh-4576
2017-09-28 10:21:01 -04:00
Joe Grandja d191bcc8ac Remove ClientRegistrationRepository.findByClientId()
Fixes gh-4583
2017-09-28 09:01:58 -04:00
Joe Grandja 52f495a5ec Remove ProviderJwtDecoderRegistry
Fixes gh-4581
2017-09-28 08:51:43 -04:00
Joe Grandja 8448a54678 Remove ClientRegistrationRepository.getRegistrations()
Fixes gh-4582
2017-09-28 07:02:59 -04:00
Joe Grandja 3217582805 Introduce JwtDecoderRegistry
Fixes gh-4584
2017-09-28 06:07:47 -04:00
Joe Grandja b463f8e6b5 Remove httpSecurity.oauth2Login().userInfoEndpoint().userNameAttributeName()
Related gh-4580
2017-09-27 15:39:39 -04:00
Joe Grandja 814742fef6 Rename ClientRegistration.clientAlias -> registrationId
Fixes gh-4575
2017-09-27 09:14:55 -04:00
Joe Grandja 38be35677d Add userNameAttributeName to ClientRegistration
Fixes gh-4580
2017-09-26 21:55:19 -04:00
Joe Grandja 7fb3093617 Fix NPE InMemoryClientRegistrationRepository 2017-09-26 14:08:01 -04:00
Joe Grandja 0e9b2807bf Split up NimbusOAuth2UserService
Fixes gh-4447
2017-09-26 11:32:49 -04:00
Joe Grandja a06487c0f7 Move additionalParameters to TokenResponseAttributes
Fixes gh-4554
2017-09-22 15:21:22 -04:00
Joe Grandja 680984c242 SecurityTokenRepository associates SecurityToken to ClientRegistration
Fixes gh-4563
2017-09-22 09:51:00 -04:00
Joe Grandja 7fb386669f InMemoryClientRegistrationRepository -> enforce unique ClientRegistration's
Fixes gh-4562
2017-09-21 15:47:26 -04:00
Joe Grandja 9b61eba41d Add identifier strategy for ClientRegistration
Fixes gh-4561
2017-09-21 10:19:28 -04:00
Joe Grandja 991a154703 Add OIDC Client and User Authentication
Fixes gh-4521
2017-09-19 20:57:56 -04:00
Joe Grandja c54c622124 Re-structure OAuth2AuthenticationToken
Fixes gh-4553
2017-09-19 16:35:43 -04:00
Rob Winch e345dd106c Remove leading whitespaces 2017-09-18 11:52:31 -05:00
Joe Grandja 65b968f04a Move servlet-specific classes to 'web' package
Fixes gh-4366
2017-09-13 16:13:32 -04:00
Joe Grandja 9133eb1b78 Revert "Provide fix for Google iss claim"
This reverts commit b6212cba66.
2017-09-13 14:07:23 -04:00
Vedran Pavic 549decf00a Prefer `sub` claim as OIDC principal name
This commit removes preference for `name` claim as principal name in `DefaultOidcUser` so that the default is now `sub` claim. In addition to that, `DefaultOidcUser` now also provides constructors to explicitly define the claim to be preferred as principal name.

Fixes gh-4515
2017-09-13 13:53:14 -04:00
Joe Grandja 4ff0b52f74 Remove HttpClientConfig
Issue gh-4478
2017-09-12 21:03:40 -04:00
Joe Grandja 223b126de5 Remove Serializable from OAuth2User
Fixes gh-4514
2017-09-05 09:24:25 -04:00
Joe Grandja 306f81b7f7 Minor renames to oauth2 client properties
Fixes gh-4296
2017-08-30 11:51:06 -04:00
Joe Grandja b6212cba66 Provide fix for Google iss claim
Fixes gh-4511
2017-08-26 18:55:23 -04:00
Joe Grandja 4951550d7d Add context path to authorization request URI
Fixes gh-4510
2017-08-26 18:55:23 -04:00
Luander Ribeiro ec908bb700 Add unit tests for endpoints package
Fixes gh-4499

This commit contains unit tests for the endpoints package in oauth2-core.
2017-08-24 18:26:33 -04:00
Joe Grandja bc6be86aec Add in-memory AccessTokenRepository
Fixes gh-4508
2017-08-23 17:18:35 -04:00
Joe Grandja d6ba348a59 Add SecurityTokenRepository abstraction
Fixes gh-4405
2017-08-23 17:18:19 -04:00
Joe Grandja 93c2b2533e Allow configuring request paths for oauth2 filters
Fixes gh-4473
2017-08-23 17:17:01 -04:00
Rob Winch e16b8e7976 Fix logback-test.xml 2017-08-17 16:42:01 -05:00
Luander Ribeiro 65734414f7 Added HttpServletResponse to AuthorizationRequestRepository
This change enables AuthorizationRequestRepository to possibly save the AuthorizationRequestAttributes to a cookie.

Fixes gh-4446
2017-08-15 09:45:52 -04:00
Joe Grandja ef1de5eda0 Remove Accept header for UserInfo request
Fixes gh-4481
2017-08-15 04:54:38 -04:00
Joe Grandja c872499eee Enable custom configuration for HTTP client
Fixes gh-4477
2017-07-28 16:43:44 -04:00
Joe Grandja 3b42323b6d AuthorizationCodeRequestRedirectFilter -> always expand redirectUri
Fixes gh-4444
2017-07-28 09:31:38 -04:00
Joe Grandja c204cc2c31 Completed implementation in ClaimAccessor's
Fixes gh-4449
2017-07-28 09:31:38 -04:00
Joe Grandja 33423c46d3 Rename AbstractToken to SecurityToken
Fixes gh-4466
2017-07-28 09:31:37 -04:00
Joe Grandja f50812c385 Renamed methods in AuthorizationCodeRequestRedirectFilter
Fixes gh-4443
2017-07-14 17:09:49 -04:00
Joe Grandja 598a08e2d8 Update docs AuthorizationCodeAuthenticationProvider
Fixes gh-4450
2017-07-14 16:58:36 -04:00
Joe Grandja 9cfb890207 Use id_token for user authentication
Fixes gh-4410
2017-07-07 12:44:26 -04:00
Joe Grandja c986b6f4b5 Add support for JWT/JWS
Fixes gh-4434
2017-07-05 16:23:32 -04:00
Joe Grandja 6c0ecea494 Use java.util.Function instead of Converter
Fixes gh-4323
2017-06-01 17:25:39 -04:00
Joe Grandja 545339c663 Change AuthorizationGrantType from enum to class
Fixes gh-4291
2017-05-30 16:22:53 -04:00
Joe Grandja 4476df93e9 Change ResponseType from enum to class
Fixes gh-4292
2017-05-30 16:11:57 -04:00
Joe Grandja 336e247e70 Change AccessToken.TokenType from enum to class
Fixes gh-4293
2017-05-30 15:50:58 -04:00
Joe Grandja 435e389609 Change ClientAuthenticationMethod from enum to class
Fixes gh-4313
2017-05-30 14:41:59 -04:00
Joe Grandja 3ccf6764c1 Handle unsuccessful UserInfo response
Fixes gh-4351
2017-05-24 15:43:21 -04:00
Joe Grandja 521feb9a1b Update Boot samples to 2.0.0.M1
Fixes gh-4339
2017-05-24 11:32:00 -04:00
Rob Winch d81b436e5d Remove pom.xml from build
Gradle is easy enough to import into IDEs, so pom.xml should no
longer be necessary.

This commit removes the pom.xml files from the build.

Fixes gh-4283
2017-05-11 14:32:36 -05:00
Vedran Pavic 85719fcd64 Use Base64 implementation provided by Java 8 2017-05-10 00:27:36 -05:00
Joe Grandja a458b682d6 Add package/class level javadoc in oauth2-client
Fixes gh-4295
2017-05-04 12:37:35 -04:00
Joe Grandja 829c386756 Add support for OAuth 2.0 Login
Fixes gh-3907
2017-04-28 10:58:59 -04:00