Prior to this change authorities are always mapped using well known
claim names ('scope' or 'scp'). To change this default behaviour the
converter had to be replaced completely with a custom one.
This commit adds an additional setter to configure a custom
claim name like e.g. 'roles'. Without specifying a custom claim name
the default claims to be used still remains to the well known ones.
This way the authorities can be mapped according to customized
token claims.
Fixes gh-7100
Prior to this change mapped authorities are always prefixed
with default value 'SCOPE_'. To change this default behaviour the
converter had to be replaced completely with a custom one.
This commit adds an additional setter to configure a custom
authority prefix like e.g. 'ROLE_'. Without specifying a custom prefix
the default prefix still remains 'SCOPE_'.
This way existing authorization checks using the standard 'ROLE_'
prefix can be reused without lots of effort.
Fixes gh-7101
Error messages sent by BearerTokenAccessDeniedHandler included
information about the scopes of the rejected token instead of
the scopes required by the resource.
* Removal of token scopes from error_description attribute.
* Removal of scope attribute from WWW-Authenticate response header.
Fixes gh-7089
This commit reverts f6414e9a52f6a66dc8d21c0455c0b9ead7edc520 and
partial revert of e1b095df3260c45c53408ef0a3360a7aa7c5073b.
NOTE: InMemoryReactiveClientRegistrationRepository should not expose a
Map constructor as it would allow the caller to pass in a 'distributed' (remote) Map,
which would result in a blocking I/O operation.
ClientRegistration.Builder defaulted to validating as an
authorization_code registration, though a custom grant type could be in
use. The actual grant_type is now verified for every case.
- Fixed validation in ClientRegistration.Builder
- New test that fails unless the issue is fixed.
Also made OAuth2AuthorizationGrantRequestEntityUtils public to help
implementing custom token response clients.
Fixes gh-7040
Make BearerTokenAuthenticationFilter expose an AuthenticationFailureHandler which, by default, invokes the AuthenticationEntryPoint set in the filter.
Fixes gh-7009
Previously ServerBearerTokenAuthenticationConverter would throw an
IllegalArgumentException when the access token in a URI was empty String.
It also incorrectly provided HttpStatus.BAD_REQUEST for an empty String
access token in the headers.
This changes ServerBearerTokenAuthenticationConverter to consistently
throw a OAuth2AuthenticationException with an HttpStatus.UNAUTHORIZED
Fixes gh-7011
Currently, "ReactiveJwtAuthenticationConverterAdapter" takes
"JwtAuthenticationConverter" as its constructor argument. However,
this limits the usage of this adapter.
In this commit, widen the constructor to take "Converter<Jwt,
AbstractAuthenticationToken>" and allow this adapter to be used by
generic converters.
Added support for OAuth 2.0 Authorization Server Metadata as per the
RFC 8414 specification. Updated the existing implementation of OpenId to
comply with the Compatibility Section of RFC 8414 specification.
Fixes: gh-6500
Simplified the initial support to introduce fewer classes and only the
features described in the ticket.
Changed tests to align with existing patterns in the repository.
Added JavaDoc to remaining public methods introduced for this feature.
Issue: gh-6634
Issue: gh-6851
