The new method is intended to replace ClaimAccessor#containsClaim, the
return type of which was non-primitive Boolean. The existing
containsClaim method is now deprecated.
Closes gh-9201
- Adjusted internal logic to follow DelegatingOAuth2TokenValidator
- Changed JavaDoc to align more closely with
JwtGrantedAuthoritiesConverter
- Polished test names to follow Spring Security naming convention
- Updated test class name to follow Spring Security naming convention
- Polished tests to use TestJwts
- Added tests to address additional use cases
Closes gh-7596
Implement R2dbcReactiveOuath2AuthorizedClientService which persists the
Oauth2AuthorizedClient in a sql database
R2dbcReactiveOuath2AuthorizedClientService is using the spring-r2dbc
module to persist/load Oauth2AuthorizedClient to/from a sql database
Add optional depedency to the spring-r2dbc module
Add test compile dependencies to r2dbc-h2 and r2dbc-test
Closes gh-7890
- NimbusJwtDecoder uses claim set converters: issuer claim is converted to an URL object
- JwtIssuerValidator (created by JwtValidators.createDefaultWithIssuer(String)) wraps a JwtClaimValidator<String>
- because of different data types, equal() is always false
This change allows both Strings and URLs as values of the issuer
Closes gh-9136
LobHandler provides an abstraction for handling large binary fields and large text
fields in specific databases, no matter if represented as simple types or
Large OBjects.
Its use provides compatibility with many databases eliminating the need
for custom OAuth2AuthorizedClientParametersMapper and
OAuth2AuthorizedClientRowMapper implementations.
Closes gh-9070
- Moved support to JwtDecoders and ReactiveJwtDecoders since there is
already the expectation that those classes make an outbound connection
to complete configuration. Since there's no outbound connection when
configuring a NimbusJwtDecoder or NimbusReactiveJwtDecoder, it would be
more intrusive to change that.
Closes gh-7160
Consistently use `assertThatExceptionOfType(...).isThrownBy(...)`
rather than `assertThatCode` or `assertThatThrownBy`. This aligns with
Spring Boot and Spring Cloud. It also allows the convenience
`assertThatIllegalArgument` and `assertThatIllegalState` methods to
be used.
Issue gh-8945
Remove all blank lines from test code so that test methods are
visually grouped together. This generally helps to make the test
classes easer to scan, however, the "given" / "when" / "then"
blocks used by some tests are now not as easy to discern.
Issue gh-8945
Update all ternary expressions so that the condition is always in
parentheses and "not equals" is used in the test. This helps to bring
consistency across the codebase which makes ternary expression easier
to scan.
For example: `a = (a != null) ? a : b`
Issue gh-8945
Reduce method visibility for package private classes when possible.
In the case of abstract classes that will eventually be made public,
the class has been made public and a package-private constructor has
been added.
Issue gh-8945
Use regular expression search/replace to ensure all single-arg
lambdas have parenthesis. This aligns with the style used in Spring
Boot and ensure that single-arg and multi-arg lambdas are consistent.
Issue gh-8945
Update all utility classes so that they have a private constructor. This
prevents users from accidentally creating an instance, when they should
just use the static methods directly.
Issue gh-8945
Add an additional lines after the copyright header and before the
`package` declaration. This aligns with the style used by Spring
Framework.
Issue gh-8945
Replace static imports with class referenced methods. With the exception
of a few well known static imports, checkstyle restricts the static
imports that a class can use. For example, `asList(...)` would be
replaced with `Arrays.asList(...)`.
Issue gh-8945
Migrate Mockito imports to use the BDD variant. This aligns better with
the "given" / "when" / "then" style used in most tests since the "given"
block now uses Mockito `given(...)` calls.
The commit also updates a few tests that were accidentally using
Power Mockito when regular Mockito could be used.
Issue gh-8945
Move all inner-types so that they are consistently the last item
defined. This aligns with the style used by Spring Framework and
the consistency generally makes it easier to scan the source.
Issue gh-8945
Replace code of the form `a = b =c` with distinct statements. Although
this results in more lines of code, they are usually easier to
understand.
Issue gh-8945
Apply an Eclipse cleanup rules to ensure that fields are always accessed
using `this.`. This aligns with the style used by Spring Framework and
helps users quickly see the difference between a local and member
variable.
Issue gh-8945
Update classes that have private constructors so that they are also
declared final. In a few cases, inner-classes used private constructors
but were subclassed. These have now been changed to have package-private
constructors.
Issue gh-8945
Bearer token was resolved immediately after calling method convert. In situations when malformed token was provided or authorization header and access token query param were present in request exception was thrown instead of signalling error.
After this change Bearer token is resolved on subscription and invalid states are handled by signaling error to subscriber.
Closes gh-8865
Bearer token was resolved immediately after calling method convert. In situations when malformed token was provided or authorization header and access token query param were present in request exception was thrown instead of signalling error.
After this change Bearer token is resolved on subscription and invalid states are handled by signaling error to subscriber.
Closes gh-8865
Bearer token was resolved immediately after calling method convert. In situations when malformed token was provided or authorization header and access token query param were present in request exception was thrown instead of signalling error.
After this change Bearer token is resolved on subscription and invalid states are handled by signaling error to subscriber.
Closes gh-8865
Removed some duplication by delegating to
DefaultOAuth2AuthenticatedPrincipal
Changed order of listed interfaces to satisfy compiler issue. When
listed with OAuth2AuthenticatedPrincipal first, then
OAuth2ResourceServerBeanDefinitionParserTests would fail to import
OpaqueTokenBeanDefinitionParser. Switching
OAuth2AuthenticatedPrincipal with OAuth2IntrospectionClaimAccessor
resolved the compilation issue.
Issue gh-6489
In order to simplify retrieving of OAuth 2.0 Introspection specific
attributes, OAuth2IntrospectionClaimAccessor interface was introduced
and also new OAuth2AuthenticatedPrincipal implementing this new
interface (OAuth2IntrospectionAuthenticatedPrincipal).
Also DefaultOAuth2AuthenticatedPrincipal was replaced by
OAuth2IntrospectionAuthenticatedPrincipal in cases where OAuth 2.0
Introspection is performed (NimbusOpaqueTokenIntrospector,
NimbusReactiveOpaqueTokenIntrospector).
DefaultOAuth2AuthenticatedPrincipal can be still used by applications
that introspected the token without OAuth 2.0 Introspection.
OAuth2IntrospectionAuthenticatedPrincipal will also be used as a
default principal in tests where request is post-processed/mutated
by OpaqueTokenRequestPostProcessor/OpaqueTokenMutator.
Closes gh-6489
- docs stated that empty authorityPrefix are allowed but implementation denied to use `""`
- commit removes the `hasText`-limitation but restricts to `notNull`
Fixes gh-8421
Extends all existing builders in NimbusJwtDecoder and NimbusReactiveJwtDecoder with a
post-processor hook to apply changes on the JWTProcessor used for token verification.
Test cases added show how this is used to configure the JWTProcessor to allow additional
JWT typ headers.
Closes gh-8730
Per the servlet spec, getParameter(name) consumes the request body for
POST requests.
This commit prevents DefaultOAuth2AuthorizationRequestResolver from
consuming the request body for non-Authorization requests.
Closes gh-8650
- Add "issuerUri" attribute to ClientRegistration.providerDetails for OpenID Connect Discovery 1.0 or OAuth 2.0 Authorization Server Metadata.
- Validate OidcIdToken "iss" claim against the OpenID Provider "issuerUri" value.
- Update documentation for client registration: it includes issuer-uri property now.
Fixes gh-8326
Before this commit, JdbcOAuth2AuthorizedClientService threw DuplicateKeyException when re-authorizing or when authorizing the same user from a different client.
This commit makes JdbcOAuth2AuthorizedClientService's saveAuthorizedClient method consistent with that of InMemoryOAuth2AuthorizedClientService.
Fixes gh-8425
Before this commit, JdbcOAuth2AuthorizedClientService threw DuplicateKeyException when re-authorizing or when authorizing the same user from a different client.
This commit makes JdbcOAuth2AuthorizedClientService's saveAuthorizedClient method consistent with that of InMemoryOAuth2AuthorizedClientService.
Fixes gh-8425
- docs stated that empty authorityPrefix are allowed but implementation denied to use `""`
- commit removes the `hasText`-limitation but restricts to `notNull`
Fixes gh-8421
- docs stated that empty authorityPrefix are allowed but implementation denied to use `""`
- commit removes the `hasText`-limitation but restricts to `notNull`
Fixes gh-8421
When the issuer is set in the provider metadata, we validate the iss
field of the ID Token against it.
The OpenID Connect Specification says this must always be validated.
But this would be a breaking change for applications configured other
than with ClientRegistrations.fromOidcIssuerLocation(issuer). This will
be done later with #8326
Fixes gh-8321
Allow the configuration of a custom GrantedAuthorityMapper for reactive OAuth2Login
- Add setter in OidcAuthorizationCodeReactiveAuthenticationManager
and OAuth2LoginReactiveAuthenticationManager
- Use an available GrantedAuthorityMapper bean to configure the default ReactiveAuthenticationManager
Fixes gh-8324
- Follow convention to prefix member variable references with "this."
- Reduce stack trace when IOException is thrown
- Name tests to follow conventions
Issue gh-8332
Added ability to specify the header that
ServerBearerTokenAuthenticationConverter and
DefaultBearerTokenResolver use to extract a Bearer Token.
Fixes gh-8337
1. update OAuth2LoginAuthenticationProvider to use
OAuth2AuthorizationCodeAuthenticationProvider
2. apply fix gh-5368 for OAuth2AuthorizationCodeAuthenticationProvider
to return additionalParameters value from accessTokenResponse
Fixes gh-5633
1. update OAuth2LoginAuthenticationProvider to use
OAuth2AuthorizationCodeAuthenticationProvider
2. apply fix gh-5368 for OAuth2AuthorizationCodeAuthenticationProvider
to return additionalParameters value from accessTokenResponse
Fixes gh-5633
1. update OAuth2LoginAuthenticationProvider to use
OAuth2AuthorizationCodeAuthenticationProvider
2. apply fix gh-5368 for OAuth2AuthorizationCodeAuthenticationProvider
to return additionalParameters value from accessTokenResponse
Fixes gh-5633
Make defensive collection copy as Collections.unmodifiableCollection
does not protect from the source collection direct modification.
Use Mono#map instead of Mono#flatMap as it allocates less.
Use less operators to reduce allocations.
Use lambda parameter instead of outer method parameter
in authenticationManagers#computeIfAbsent()
to make it non capturing so it could be cached by JVM.
Propagate cause for InvalidBearerTokenException.
If the authorization URL in the OAuth2 provider configuration contained query parameters with escaped characters, these characters were escaped a second time. This commit fixes it.
It is relevant to support the OIDC claims parameter (see https://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter).
Fixes gh-7871
If the authorization URL in the OAuth2 provider configuration contained query parameters with escaped characters, these characters were escaped a second time. This commit fixes it.
It is relevant to support the OIDC claims parameter (see https://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter).
Fixes gh-7871
Updated NimbusOpaqueTokenIntrospector and
NimbusReactiveOpaqueTokenIntrospector to throw.
Updated OpaqueTokenAuthenticationProvider and
OpaqueTokenReactiveAuthenticationManager to catch.
Fixes gh-7902
Updated NimbusJwtDecoder and NimbusReactiveJwtDecoder to throw.
Updated JwtAuthenticationProvider and JwtReactiveAuthenticationManager
to catch.
Fixes gh-7885
Since these converters no longer have a direct reference to the HTTP
stack, it would be better to move them into another package. Also, now
that the converters are public, we should follow the prevailing
converter naming convention, which is to call it STConverter for an
implementation of Converter<S, T>.
All ReactiveOAuth2AuthorizedClientManagers now have authorization success/failure handlers.
A success handler is provided to save authorized clients for future requests.
A failure handler is provided to remove previously saved authorized clients.
ServerOAuth2AuthorizedClientExchangeFilterFunction also makes use of a
failure handler in the case of unauthorized or forbidden http status code.
The main use cases now handled are
- remove authorized client when an authorization server indicates that a refresh token is no longer valid (when authorization server returns invalid_grant)
- remove authorized client when a resource server indicates that an access token is no longer valid (when resource server returns invalid_token)
Introduced ClientAuthorizationException to capture details needed when removing an authorized client.
All ReactiveOAuth2AccessTokenResponseClients now throw a ClientAuthorizationException on failures.
Created AbstractWebClientReactiveOAuth2AccessTokenResponseClient to unify common logic between all ReactiveOAuth2AccessTokenResponseClients.
Fixes gh-7699
Rename OAuth2AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager to AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager.
Handle empty mono returned from contextAttributesMapper.
Handle empty map returned from contextAttributesMapper.
Fix DefaultContextAttributesMapper so that it doesn't access ServerWebExchange.
Fix unit tests so that they pass.
Use StepVerifier in unit tests, rather than .subscribe().
Fixes gh-7569
ReactiveOAuth2AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager is reactive
version of AuthorizedClientServiceOAuth2AuthorizedClientManager
Fixes: gh-7569
Rename OAuth2AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager to AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager.
Handle empty mono returned from contextAttributesMapper.
Handle empty map returned from contextAttributesMapper.
Fix DefaultContextAttributesMapper so that it doesn't access ServerWebExchange.
Fix unit tests so that they pass.
Use StepVerifier in unit tests, rather than .subscribe().
Fixes gh-7569
ReactiveOAuth2AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager is reactive
version of AuthorizedClientServiceOAuth2AuthorizedClientManager
Fixes: gh-7569
OpenID Connect Discovery 1.0 expects the OpenId Provider Metadata
response is expected to return a valid jwks_uri, however, this field is
optional in the Authorization Server Metadata response as per RFC 8414
specification.
Fixes gh-7512
Previously, saveAuthorizedClient never actually saved the authorized
client, because it ignored the Mono<Void> returned from
authorizedClientRepository.saveAuthorizedClient.
Now, it does not ignore the Mono<Void> returned from
authorizedClientRepository.saveAuthorizedClient, and includes it in
the stream, and therefore it will properly save the authorized client.
Fixes gh-7546
Improve handling of IOException to report an
AuthenticationServiceExceptionThere are many reasons that a
DefaultReactiveOAuth2UserService might fail due to an IOException
(i.e. SSLHandshakeException). In those cases we should use a
AuthenticationServiceException so that users are aware there is likely
some misconfiguration.
Fixes gh-7370
Dirties the WebSession by putting the amended AUTHORIZATION_REQUEST map into
the WebSession even it was already in the map. This causes common SessionRepository
implementations like Redis to persist the updated attribute.
Fixes gh-7327
Author: Andreas Kluth <mail@andreaskluth.net>
First version of replacing streams
fix wwwAuthenticate and codestyle
fix errors in implementation to pass tests
Fix review notes
Remove uneccessary final to align with cb
Short circuit way to authorize
Simplify error message, make code readably
Return error while duplicate key found
Delete check for duplicate, checkstyle issues
Return duplicate error
Fixes gh-7154
RequestContextSubscriber could cause NPE if Mono/Flux.subscribe()
was invoked outside of Web Context.
In addition it replaced source Context with its own without respect
to old data.
Now Request Context Data is Propagated within holder class and
it is added to existing reactor Context if Holder is not empty.
Fixes gh-7228
WebClient exchange requires that the body is consumed. Before this commit
there were places where an Exception was thrown without consuming the body
if the status was not successful. There was also the potential for the
statusCode invocation to throw an Exception of the status code was not
defined which would cause a leak.
This commit ensures that before the Exception is thrown the body is
consumed. It also uses the http status in a way that will ensure an
Exception is not thrown.
Fixes gh-7293
Prior to this change authorities are always mapped using well known
claim names ('scope' or 'scp'). To change this default behaviour the
converter had to be replaced completely with a custom one.
This commit adds an additional setter to configure a custom
claim name like e.g. 'roles'. Without specifying a custom claim name
the default claims to be used still remains to the well known ones.
This way the authorities can be mapped according to customized
token claims.
Fixes gh-7100
Prior to this change mapped authorities are always prefixed
with default value 'SCOPE_'. To change this default behaviour the
converter had to be replaced completely with a custom one.
This commit adds an additional setter to configure a custom
authority prefix like e.g. 'ROLE_'. Without specifying a custom prefix
the default prefix still remains 'SCOPE_'.
This way existing authorization checks using the standard 'ROLE_'
prefix can be reused without lots of effort.
Fixes gh-7101
olivier.antoine
Joe Grandja
grimsa
Josh Cummings
Ropi
Arvid Ottenberg
Rob Winch
Ovidiu Popa
Christian Mouttet
Alexey Nesterov
Craig Andrews
Nick Hitchan
Phillip Webb
Martin Vietz
Eleftheria Stein
Dávid Kováč
Dennis Neufeld
kothasa
Julian Müller
Benjamin Bargeton
Jan Oopkaup
Erik Bakker
Parikshit Dutta
Joe Grandja
Thomas Vitale
Stav Shamir
Daniel Furtlehner
Antonin Arquey
Evgeniy Cheban
Mykyta Bezverkhyi
Teddy Reinert
Ruby Hartono
Martin Nemec
Roman Matiushchenko
Zeeshan Adnan
Manuel Bleichenbacher
Stephane Maldini
Nikita Konev
Phil Clay
Ankur Pathak
Rafiullah Hamedy
Everett Irwin
Mark Heckler
Eddú Meléndez
Andreas Kluth
Bouke Nijhuis
kostya05983
Lars Grefer
watsta
Ebert Toribio
Andreas Falk