This polishes the EnableGlobalMethodSecurity misconfiguration check to
not error if the user has specified a custom method security metadata
source.
Issue: gh-5341
Resource Server doesn't need to set the session policy for the
application to STATELESS since it can rely on the
SessionManagementFilter ignoring token's annotated with @Transient,
which a JwtAuthenticationToken is.
Fixes: gh-5759
Previously there was a tangle between
DefaultOAuth2AuthorizationRequestResolver and
OAuth2AuthorizationRequestRedirectFilter with
AUTHORIZATION_REQUIRED_EXCEPTION_ATTR_NAME
This commit adds a new method that can be used for resolving the
OAuth2AuthorizationRequest when the client registration id is known.
Issue: gh-4911
This introduces OAuth2TokenValidator which allows the customization of
validation steps that need to be performing when decoding a string
token to a Jwt.
At this point, two validators, JwtTimestampValidator and
JwtIssuerValidator, are available for use.
Fixes: gh-5133
OIDC Provider Configuration is now being used to create more than just
ClientRegistration instances. Also, the endpoint is being addressed in
more contexts than just the client.
To that end, this refactors OidcConfigurationProvider in the config
project to ClientRegistrations in the oauth2-client project.
Fixes: gh-5647
This exposes #authenticationEntryPoint(), #accessDeniedHandler, on
the Resource Server DSL.
With these, a user can customize the error responses when a bearer
token request fails.
Fixes: gh-5497
This introduces #bearerTokenResolver(BearerTokenResolver) to the
Resource Server DSL, allowing users to configure the resolver to allow
the access token as part of the request body or a query parameter. It
also allows the user to replace the resolver with a completely custom
one.
This also introduces the same ability by exposing a bean of type
BearerTokenResolver
Fixes: gh-5496
For the remember me test, there is some hand configuration that was
carried over from the groovy test as there isn't a way via the xml
config to achieve the same result.
For the attribute exchange test, in order to reduce the amount of
endpoint configuration, the test uses a bit of reflection to disable
the OpenID association step. This is because the xml config does not
support wiring a custom ConsumerManager, like the java configurer
does.
Issue: gh-4939
Note that originally there were five tests in the groovy test, however
the last one, multipleAuthenticationManagersWorks, turned out to be a
duplicate after creating the test
requestWhenUsingMutuallyExclusiveHttpElementsThenIsRoutedAccordingly
As such, the new file contains just four tests.
Issue: gh-4939
Some of Resource Server Configurer's tests were relying on specific
error messaging from Nimbus and from the JDK, which makes them
brittle.
These tests now simply confirm that resource server responses
contain the correct error state without relying on specific wording
outside of our control.
It is quite likely we will need to prevent certain Exceptions from being
saved or from triggering a saved request. When we add support for this,
we can now leverage @Transient vs creating a new annotation.
Issue: gh-5481
Introducing initial support for Jwt-Encoded Bearer Token authorization
with remote JWK set signature verification.
High-level features include:
- Accepting bearer tokens as headers and form or query parameters
- Verifying signatures from a remote Jwk set
And:
- A DSL for easy configuration
- A sample to demonstrate usage
Fixes: gh-5128
Fixes: gh-5125
Fixes: gh-5121
Fixes: gh-5130
Fixes: gh-5226
Fixes: gh-5237
