Commit Graph

798 Commits

Author SHA1 Message Date
Phillip Webb 7a715f9086 Polish spring-security-oauth2-client main code
Manually polish `spring-security-oauth-cleint` following the
formatting and checkstyle fixes.

Issue gh-8945
2020-08-24 17:33:09 -05:00
Phillip Webb 834dcf5bcf Use consistent ternary expression style
Update all ternary expressions so that the condition is always in
parentheses and "not equals" is used in the test. This helps to bring
consistency across the codebase which makes ternary expression easier
to scan.

For example: `a = (a != null) ? a : b`

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb 8d3f039f76 Reduce method visibility when possible
Reduce method visibility for package private classes when possible.

In the case of abstract classes that will eventually be made public,
the class has been made public and a package-private constructor has
been added.

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb 612fb22a7f Remove unnecessary lambda blocks
Remove lambda blocks that aren't needed and replace instead with a
simple expression.

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb 52f20b5281 Use parenthesis with single-arg lambdas
Use regular expression search/replace to ensure all single-arg
lambdas have parenthesis. This aligns with the style used in Spring
Boot and ensure that single-arg and multi-arg lambdas are consistent.

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb 01d90c9881 Hide utility class constructors
Update all utility classes so that they have a private constructor. This
prevents users from accidentally creating an instance, when they should
just use the static methods directly.

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb ff94944313 Add whitespace after copyright header
Add an additional lines after the copyright header and before the
`package` declaration. This aligns with the style used by Spring
Framework.

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb 31ec450d05 Remove superfluous comments
Remove a few comments that previously add noise but don't offer a great
deal of value.

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb 8d80166aaf Update exception variable names
Consistently use `ex` for caught exception and `cause` for Exception
constructor arguments.

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb e9130489a6 Remove restricted static imports
Replace static imports with class referenced methods. With the exception
of a few well known static imports, checkstyle restricts the static
imports that a class can use. For example, `asList(...)` would be
replaced with `Arrays.asList(...)`.

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb db55ef4b3b Migrate to BDD Mockito
Migrate Mockito imports to use the BDD variant. This aligns better with
the "given" / "when" / "then" style used in most tests since the "given"
block now uses Mockito `given(...)` calls.

The commit also updates a few tests that were accidentally using
Power Mockito when regular Mockito could be used.

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb 18f3d13363 Fix parenthesis padding issues
Fix a few parenthesis padding issues caused by the formatter.

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb 81fe9fc640 Make all exception classes immutable
Update all exception classes so that they are fully immutable and cannot
be changed once they have been thrown.

Issue gh-8945
2020-08-24 17:33:07 -05:00
Phillip Webb a0b9442265 Use consistent modifier order
Update code to use a consistent modifier order that aligns with that
used in the "Java Language specification".

Issue gh-8945
2020-08-24 17:33:07 -05:00
Phillip Webb a2f2e9ac8d Move inner-types so that they are always last
Move all inner-types so that they are consistently the last item
defined. This aligns with the style used by Spring Framework and
the consistency generally makes it easier to scan the source.

Issue gh-8945
2020-08-24 17:33:07 -05:00
Phillip Webb 418c3d6808 Avoid inner assignments
Replace code of the form `a = b =c` with distinct statements. Although
this results in more lines of code, they are usually easier to
understand.

Issue gh-8945
2020-08-24 17:33:07 -05:00
Phillip Webb 9e08b51ed3 Apply code cleanup rules to projects
Apply automated cleanup rules to add `@Override` and `@Deprecated`
annotations and to fix class references used with static methods.

Issue gh-8945
2020-08-24 17:33:07 -05:00
Phillip Webb 8866fa6fb0 Always use 'this.' when accessing fields
Apply an Eclipse cleanup rules to ensure that fields are always accessed
using `this.`. This aligns with the style used by Spring Framework and
helps users quickly see the difference between a local and member
variable.

Issue gh-8945
2020-08-24 17:33:07 -05:00
Phillip Webb 6894ff5d12 Make classes final where possible
Update classes that have private constructors so that they are also
declared final. In a few cases, inner-classes used private constructors
but were subclassed. These have now been changed to have package-private
constructors.

Issue gh-8945
2020-08-24 17:33:07 -05:00
Phillip Webb 37fa94fafc Organize imports
Use "organize imports" from Eclipse to cleanup import statements so
that they appear in a consistent and well defined order.

Issue gh-8945
2020-08-24 17:33:07 -05:00
Phillip Webb 5f64f53c3f Use consistent "@" tag order in Javadoc
Ensure that Javadoc "@" tags appear in a consistent and well defined
order.

Issue gh-8945
2020-08-24 17:33:07 -05:00
Phillip Webb b7fc18262d Reformat code using spring-javaformat
Run `./gradlew format` to reformat all java files.

Issue gh-8945
2020-08-24 17:32:56 -05:00
Martin Vietz 0486d5add9 scopes_supported metadata not used as default in ClientRegistrations
Closes gh-8514
2020-08-20 08:09:54 -04:00
Phillip Webb 27ac046d8a Rename *Test.java -> *Tests.java
Rename a few test classes that accidentally ended in `Test` instead of
`Tests`.

Issue gh-8945
2020-08-10 16:24:44 -05:00
Joe Grandja 1d74d556c2 Revert "Lock Dependency Versions for 5.4.0-RC1"
This reverts commit f3a1e5d40c.
2020-08-05 14:59:11 -04:00
Joe Grandja f3a1e5d40c Lock Dependency Versions for 5.4.0-RC1 2020-08-05 13:46:11 -04:00
Joe Grandja 3bc0b8c144 Revert "Fix snapshot build failure related to reactor-netty"
This reverts commit f37714a26f.
2020-08-04 14:24:32 -04:00
Joe Grandja f37714a26f Fix snapshot build failure related to reactor-netty
Closes gh-8909
2020-08-04 14:17:03 -04:00
Joe Grandja 8146b1fdda Deprecate CustomUserTypesOAuth2UserService
Closes gh-8908
2020-08-04 13:23:44 -04:00
Joe Grandja 73e550a867 Polish gh-8906 2020-08-04 11:16:26 -04:00
Joe Grandja 0ed919f072 Deprecate ClientRegistration.redirectUriTemplate
Closes gh-8906
2020-08-04 11:03:29 -04:00
Joe Grandja a0c10f2df6 Allow for custom ClientRegistration.clientAuthenticationMethod
Closes gh-8903
2020-08-04 08:48:56 -04:00
Joe Grandja 4e5a304a8a Remove use of Mono.deferWithContext()
Closes gh-8901
2020-08-04 07:26:32 -04:00
Dávid Kováč dfaf251970 Resolve Bearer token after subscribing to publisher
Bearer token was resolved immediately after calling method convert. In situations when malformed token was provided or authorization header and access token query param were present in request exception was thrown instead of signalling error.
After this change Bearer token is resolved on subscription and invalid states are handled by signaling error to subscriber.

Closes gh-8865
2020-08-03 11:04:21 -05:00
Josh Cummings f6e47830fe
Remove unused import
Issue gh-8589
2020-07-31 08:37:32 -06:00
Josh Cummings 90e5f45e1f
Polish to Avoid NPE
Issue gh-5648

Co-authored-by: MattyA <mat.auburn@gmail.com>
2020-07-30 16:56:41 -06:00
Josh Cummings b2728059ae
Additional Jwt Validation Debug Messages
Closes gh-8589

Co-authored-by: MattyA <mat.auburn@gmail.com>
2020-07-30 16:56:37 -06:00
Dennis Neufeld de572be8e9 Add OAuth2AuthenticationException to allowlist
Add mixins for
- OAuth2AuthenticationException
- OAuth2Error

Closes gh-8797
2020-07-21 10:14:45 -04:00
Josh Cummings d3bea02124
Polish Bearer Token Padding
Issue gh-8502
2020-07-15 18:14:39 -06:00
kothasa d38dabac02
Bearer Token Padding
Closes gh-8502
2020-07-15 18:13:51 -06:00
Josh Cummings 221c33f558
Polish OAuth2IntrospectionAuthenticatedPrincipal
Removed some duplication by delegating to
DefaultOAuth2AuthenticatedPrincipal

Changed order of listed interfaces to satisfy compiler issue. When
listed with OAuth2AuthenticatedPrincipal first, then
OAuth2ResourceServerBeanDefinitionParserTests would fail to import
OpaqueTokenBeanDefinitionParser. Switching
OAuth2AuthenticatedPrincipal with OAuth2IntrospectionClaimAccessor
resolved the compilation issue.

Issue gh-6489
2020-07-09 18:01:55 -06:00
Dávid Kováč af1c96b425
Simplify OAuth 2.0 Introspection Attribute Retrieval
In order to simplify retrieving of OAuth 2.0 Introspection specific
attributes, OAuth2IntrospectionClaimAccessor interface was introduced
and also new OAuth2AuthenticatedPrincipal implementing this new
interface (OAuth2IntrospectionAuthenticatedPrincipal).

Also DefaultOAuth2AuthenticatedPrincipal was replaced by
OAuth2IntrospectionAuthenticatedPrincipal in cases where OAuth 2.0
Introspection is performed (NimbusOpaqueTokenIntrospector,
NimbusReactiveOpaqueTokenIntrospector).

DefaultOAuth2AuthenticatedPrincipal can be still used by applications
that introspected the token without OAuth 2.0 Introspection.

OAuth2IntrospectionAuthenticatedPrincipal will also be used as a
default principal in tests where request is post-processed/mutated
by OpaqueTokenRequestPostProcessor/OpaqueTokenMutator.

Closes gh-6489
2020-07-09 17:26:13 -06:00
Joe Grandja b69bcf88e0 Improve error message when invalid content-type for UserInfo response
Closes gh-8764
2020-07-09 14:10:14 -04:00
Josh Cummings 146d0b6358
Revert "Lock Dependency Versions for 5.4.0-M2"
This reverts commit 68538897c8.
2020-07-01 13:11:50 -06:00
Josh Cummings 68538897c8
Lock Dependency Versions for 5.4.0-M2 2020-07-01 12:40:29 -06:00
Eleftheria Stein eb7b27695d Compare Timestamps up to the millisecond
Issue gh-8782
2020-07-01 11:12:55 +02:00
Benjamin Bargeton 497ef5e74e OAuth2AccessTokenResponse.Builder.expiresIn works after withResponse
Closes gh-8702
2020-06-30 15:15:10 -04:00
Jan Oopkaup d31fff11b3
Add Post-Processor for JWTProcessor Configuration
Extends all existing builders in NimbusJwtDecoder and NimbusReactiveJwtDecoder with a
post-processor hook to apply changes on the JWTProcessor used for token verification.
Test cases added show how this is used to configure the JWTProcessor to allow additional
JWT typ headers.

Closes gh-8730
2020-06-26 07:52:16 -06:00
Joe Grandja 659b25a4e5 Fix typo in OAuth2AccessTokenResponse
Closes gh-8746
2020-06-22 08:21:59 -04:00
Rob Winch ca1252be94 Replace whitelist with allowlist
Issue gh-8676
2020-06-10 11:49:21 -05:00
Joe Grandja da4b626bf1 OAuth2LoginAuthenticationWebFilter should handle OAuth2AuthorizationException
Issue gh-8609
2020-06-09 17:28:21 -04:00
Joe Grandja 4c902bb857 OAuth2AuthorizationCodeGrantWebFilter should handle OAuth2AuthorizationException
Fixes gh-8609
2020-06-09 17:28:21 -04:00
Josh Cummings 1d821a2664
Add Ticket Number to Test
Issue gh-8650
2020-06-05 14:24:49 -06:00
Erik Bakker cd3fd6762f
Don't Consume Request Body
Per the servlet spec, getParameter(name) consumes the request body for
POST requests.

This commit prevents DefaultOAuth2AuthorizationRequestResolver from
consuming the request body for non-Authorization requests.

Closes gh-8650
2020-06-05 14:21:00 -06:00
Parikshit Dutta 28d2cfa14a Add ServerRequestCache setter in OAuth2AuthorizationCodeGrantWebFilter
Fixes gh-8536
2020-06-02 21:54:09 -04:00
Josh Cummings aa84c79e87
Use Nimbus Multiple Algorithm Support
Closes gh-8623
2020-06-02 12:49:21 -06:00
Parikshit Dutta 1e211b6558 Add RequestCache setter in OAuth2AuthorizationCodeGrantFilter
Fixes gh-8120
2020-05-15 15:13:15 -04:00
Joe Grandja c1abc9b134 Polish gh-8501 2020-05-15 13:26:09 -04:00
Thomas Vitale 78fa859798 Add issuerUri to ClientRegistration.providerDetails
- Add "issuerUri" attribute to ClientRegistration.providerDetails for OpenID Connect Discovery 1.0 or OAuth 2.0 Authorization Server Metadata.
- Validate OidcIdToken "iss" claim against the OpenID Provider "issuerUri" value.
- Update documentation for client registration: it includes issuer-uri property now.

Fixes gh-8326
2020-05-14 17:13:07 -04:00
Joe Grandja 86ca6b013c Unlock dependencies
This reverts commit 206960cf44.
2020-05-06 17:27:35 -04:00
Joe Grandja 206960cf44 Lock dependencies for 5.4.0-M1 2020-05-06 17:13:04 -04:00
Stav Shamir a783fbc641 Support update when saving with JdbcOAuth2AuthorizedClientService
Before this commit, JdbcOAuth2AuthorizedClientService threw DuplicateKeyException when re-authorizing or when authorizing the same user from a different client.

This commit makes JdbcOAuth2AuthorizedClientService's saveAuthorizedClient method consistent with that of InMemoryOAuth2AuthorizedClientService.

Fixes gh-8425
2020-04-29 07:37:57 -04:00
Julian Müller 60d4d5b7ee Enables empty authorityPrefix
- docs stated that empty authorityPrefix are allowed but implementation denied to use `""`
- commit removes the `hasText`-limitation but restricts to `notNull`

Fixes gh-8421
2020-04-22 08:52:54 -05:00
Daniel Furtlehner 32ce94d2dd Validate ID Token Issuer
When the issuer is set in the provider metadata, we validate the iss
field of the ID Token against it.

The OpenID Connect Specification says this must always be validated.
But this would be a breaking change for applications configured other
than with ClientRegistrations.fromOidcIssuerLocation(issuer). This will
be done later with #8326

Fixes gh-8321
2020-04-21 20:30:01 -04:00
Antonin Arquey 5cd1ec7bb3 Add AuthoritiesMapper setter for reactive OAuth2Login
Allow the configuration of a custom GrantedAuthorityMapper for reactive OAuth2Login

- Add setter in OidcAuthorizationCodeReactiveAuthenticationManager
  and OAuth2LoginReactiveAuthenticationManager

- Use an available GrantedAuthorityMapper bean to configure the default ReactiveAuthenticationManager

Fixes gh-8324
2020-04-17 16:55:05 -04:00
Evgeniy Cheban a70d55552b
Resource Server Finds JwtAuthenticationConverter Beans
Fixes gh-8185
2020-04-13 22:47:20 -06:00
Josh Cummings 10aa9743ed
Polish NimbusJwtDecoder
- Follow convention to prefix member variable references with "this."
- Reduce stack trace when IOException is thrown
- Name tests to follow conventions

Issue gh-8332
2020-04-10 16:45:01 -06:00
Mykyta Bezverkhyi 9133cc24e4
Add Cache to NimbusJwtDecoderJwkSetUriBuilder
PR gh-8332
2020-04-10 16:45:01 -06:00
Teddy Reinert 2f8eb16d76
Allow custom header during bearer token extraction
Added ability to specify the header that
ServerBearerTokenAuthenticationConverter and
DefaultBearerTokenResolver use to extract a Bearer Token.

Fixes gh-8337
2020-04-09 10:36:03 -06:00
Evgeniy Cheban 25fb1f417d Added setPrincipalClaimName to JwtAuthenticationConverter
Fixes gh-8186
2020-04-07 16:20:43 -06:00
Ruby Hartono 71b4248fe6 Improve OAuth2LoginAuthenticationProvider
1. update OAuth2LoginAuthenticationProvider to use
OAuth2AuthorizationCodeAuthenticationProvider
2. apply fix gh-5368 for OAuth2AuthorizationCodeAuthenticationProvider
to return additionalParameters value from accessTokenResponse

Fixes gh-5633
2020-03-30 20:55:43 -04:00
Martin Nemec 75c05d0bb4 OAuth2 ClientRegistrations NPE fix when userinfo missing
Fixes gh-8187
2020-03-27 05:58:28 -04:00
Joe Grandja 93ed92cc94 OAuth2ErrorHttpMessageConverter handles JSON object parameters
Fixes gh-8157
2020-03-24 14:51:04 -04:00
Joe Grandja 46baf38f59 Fix OAuth2AuthorizationRequest additionalParameters/attributes Consumer
Fixes gh-8177
2020-03-24 13:44:09 -04:00
Joe Grandja a9dabf6efb Assign sensible default for OAuth2AuthorizedClientProvider
Fixes gh-8150
2020-03-19 11:44:30 -04:00
Joe Grandja 26414ad3af Fix NPE when token response contains a null value
Fixes gh-8108
2020-03-16 15:56:59 -04:00
Josh Cummings 6eadf7b140
Unlock dependencies for 5.3.0.RELEASE
This reverts commit 147d7dadd7.
2020-03-04 12:02:48 -07:00
Josh Cummings 147d7dadd7
Lock dependencies for 5.3.0.RELEASE 2020-03-04 10:28:39 -07:00
Roman Matiushchenko 9d66f2ccce polish gh-7996
Make defensive collection copy as Collections.unmodifiableCollection
does not protect from the source collection direct modification.
Use Mono#map instead of Mono#flatMap as it allocates less.
Use less operators to reduce allocations.
Use lambda parameter instead of outer method parameter
in authenticationManagers#computeIfAbsent()
to make it non capturing so it could be cached by JVM.
Propagate cause for InvalidBearerTokenException.
2020-02-27 09:29:43 -07:00
Roman Matiushchenko 04e671fb4d Instantiate exceptions lazily
Add lazy Exception instantiation to reduce allocations

Fixes gh-7995
2020-02-27 09:29:43 -07:00
Josh Cummings 968ebb194b
baseUrl placeholder for OidcLogoutSuccessHandlers
Fixes gh-7842
2020-02-25 13:35:50 -07:00
Josh Cummings 283e451cad
Update JwtDecoders tests
Issue gh-7860
2020-02-25 13:33:20 -07:00
Zeeshan Adnan 431cd6000b
Add JwtClaimValidator
Fixes gh-7860
2020-02-25 13:32:41 -07:00
Joe Grandja fb2bbd74dc OAuth2AccessTokenResponseHttpMessageConverter handles JSON object parameters
Fixes gh-6463
2020-02-24 15:36:53 -05:00
Joe Grandja fa73b1397a Add missing @FunctionalInterface in oauth2 modules
Fixes gh-8020
2020-02-24 11:53:30 -05:00
Joe Grandja 3e5600f83f Add configurable Clock in OidcIdTokenValidator
Fixes gh-8019
2020-02-24 11:21:03 -05:00
Joe Grandja 7734d049eb Polish javadoc gh-7511 2020-02-24 10:35:58 -05:00
Joe Grandja d32c98b1c5 Add OAuth2AuthorizeRequest.Builder.principal(String)
Fixes gh-8018
2020-02-24 09:58:38 -05:00
Joe Grandja c6da7b2dd6 Polish gh-7840 2020-02-24 09:28:00 -05:00
Joe Grandja 65b5d468fb Deprecate UnAuthenticatedServerOAuth2AuthorizedClientRepository
Fixes gh-8016
2020-02-24 06:50:58 -05:00
Joe Grandja 4e2f1988f2 Polish Fix package tangles
Issue #7699 #7840
2020-02-24 06:42:00 -05:00
Joe Grandja 82cd203791 Remove unnecessary mocking
Fixes gh-8012
2020-02-23 19:35:16 -05:00
Joe Grandja 204a612be1 Deprecate Implicit Grant
Fixes gh-8013
2020-02-23 19:34:52 -05:00
Joe Grandja c8cc9717c9 Fix package tangles
Issue #7699 #7840
2020-02-23 07:24:36 -05:00
Joe Grandja f2da2c56be Resolve OAuth2Error from WWW-Authenticate header
Issue gh-7699
2020-02-21 15:12:58 -05:00
Joe Grandja 69156b741d Add OAuth2Authorization success/failure handlers
Fixes gh-7840
2020-02-21 15:12:58 -05:00
Joe Grandja 23ce717380 Simplify customizing OAuth2AuthorizationRequest
Fixes gh-7696
2020-02-19 06:22:07 -05:00
Joe Grandja de8b558561 Add JDBC implementation of OAuth2AuthorizedClientService
Fixes gh-7655
2020-02-13 12:17:29 -05:00
Joe Grandja ff8002eb2e Polish gh-4557 2020-02-12 15:47:57 -05:00
Joe Grandja 0809c04aa2 OAuth2AuthorizationCodeGrantWebFilter matches on query parameters
Fixes gh-7966
2020-02-10 15:11:04 -05:00
Joe Grandja 3c86239b39 OAuth2AuthorizationCodeGrantFilter matches on query parameters
Fixes gh-7963
2020-02-10 05:13:47 -05:00
Manuel Bleichenbacher d3490b0f87 Prevent double-escaping of authorize URL parameters
If the authorization URL in the OAuth2 provider configuration contained query parameters with escaped characters, these characters were escaped a second time. This commit fixes it.

It is relevant to support the OIDC claims parameter (see https://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter).

Fixes gh-7871
2020-02-08 16:40:15 -05:00
Stephane Maldini 851be025e9 Don't force downcasting of RequestAttributes to ServletRequestAttributes
Fixes gh-7952
2020-02-07 20:44:19 -05:00
Josh Cummings a90e579350 Add JwtIssuerReactiveAuthenticationManagerResolver
Fixes gh-7857
2020-02-06 13:45:13 -07:00
Eleftheria Stein 84b8a5abd7 Unlock dependencies for next development version
This reverts commit 064616f1ef.
2020-02-05 15:53:04 +01:00
Eleftheria Stein 064616f1ef Lock dependencies for 5.3.0.RC1 2020-02-05 10:20:05 +01:00
Josh Cummings 209c81d65d
Add BadOpaqueTokenException
Updated NimbusOpaqueTokenIntrospector and
NimbusReactiveOpaqueTokenIntrospector to throw.
Updated OpaqueTokenAuthenticationProvider and
OpaqueTokenReactiveAuthenticationManager to catch.

Fixes gh-7902
2020-02-04 17:33:08 -07:00
Josh Cummings 0c3754c811
Add BadJwtException
Updated NimbusJwtDecoder and NimbusReactiveJwtDecoder to throw.
Updated JwtAuthenticationProvider and JwtReactiveAuthenticationManager
to catch.

Fixes gh-7885
2020-02-04 17:33:08 -07:00
Josh Cummings fbdecdafb8
Add Mapping to Invalid Bearer Token
Fixes gh-7793
2020-02-04 17:33:08 -07:00
Joe Grandja 25d029b092 Fix test gh-7873 2020-02-04 12:00:55 -05:00
Joe Grandja 04f3fe8af9 Add Jackson support for oauth2-client session related classes
Fixes gh-4886
2020-02-04 09:01:12 -05:00
Josh Cummings 3e07b35611
Polish Bearer Token Error Handling
Issue gh-7822
Issue gh-7823
2020-02-03 17:54:39 -07:00
Josh Cummings 1b15f74f57
Add InvalidBearerTokenException
Fixes gh-7822
2020-02-03 17:54:39 -07:00
Josh Cummings 7b2fcd17f5
Add BearerTokenErrors
Fixes gh-7823
2020-02-03 17:54:33 -07:00
Josh Cummings 7550907e03
Polish OAuth2AccessTokenResponse converters
Since these converters no longer have a direct reference to the HTTP
stack, it would be better to move them into another package. Also, now
that the converters are public, we should follow the prevailing
converter naming convention, which is to call it STConverter for an
implementation of Converter<S, T>.
2020-01-30 16:42:44 -07:00
Nikita Konev 704f98688d
Make OAuth2AccessTokenResponse converters public 2020-01-30 16:42:44 -07:00
Phil Clay e5fca61810 Introduce Reactive OAuth2Authorization success/failure handlers
All ReactiveOAuth2AuthorizedClientManagers now have authorization success/failure handlers.
A success handler is provided to save authorized clients for future requests.
A failure handler is provided to remove previously saved authorized clients.

ServerOAuth2AuthorizedClientExchangeFilterFunction also makes use of a
failure handler in the case of unauthorized or forbidden http status code.

The main use cases now handled are
- remove authorized client when an authorization server indicates that a refresh token is no longer valid (when authorization server returns invalid_grant)
- remove authorized client when a resource server indicates that an access token is no longer valid (when resource server returns invalid_token)

Introduced ClientAuthorizationException to capture details needed when removing an authorized client.
All ReactiveOAuth2AccessTokenResponseClients now throw a ClientAuthorizationException on failures.

Created AbstractWebClientReactiveOAuth2AccessTokenResponseClient to unify common logic between all ReactiveOAuth2AccessTokenResponseClients.

Fixes gh-7699
2020-01-16 15:24:55 -05:00
Eleftheria Stein fcc6457bef Unlock dependencies for next development version
This reverts commit 93acf8f0f1.
2020-01-08 22:15:17 +01:00
Eleftheria Stein 93acf8f0f1 Lock dependencies for 5.3.0.M1 2020-01-08 19:41:10 +01:00
Josh Cummings de87675f6d Add JwtIssuerAuthenticationManagerResolver
Fixes gh-7724
2020-01-07 23:30:42 -07:00
Rob Winch 65981444f1 Use Version Ranges
Fixes gh-7788
2020-01-06 14:46:48 -06:00
Josh Cummings 02f161aba7
Use OidcIdToken.Builder
Issue gh-7592
2019-12-12 07:37:15 -07:00
Phil Clay cffad1be02 Polish #7589
Rename OAuth2AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager to AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager.

Handle empty mono returned from contextAttributesMapper.

Handle empty map returned from contextAttributesMapper.

Fix DefaultContextAttributesMapper so that it doesn't access ServerWebExchange.

Fix unit tests so that they pass.

Use StepVerifier in unit tests, rather than .subscribe().

Fixes gh-7569
2019-12-10 13:59:51 -05:00
Ankur Pathak c29309d744 Reactive Implementation of AuthorizedClientServiceOAuth2AuthorizedClientManager
ReactiveOAuth2AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager is reactive
version of AuthorizedClientServiceOAuth2AuthorizedClientManager

Fixes: gh-7569
2019-12-10 13:59:51 -05:00
Joe Grandja 24500fa3ca Remove redundant validation for redirect-uri
Fixes gh-7706
2019-12-06 11:55:31 -05:00
Josh Cummings bb8706977d
Polish DefaultOAuth2AuthorizedClientManager 2019-12-02 16:05:17 -07:00
Joe Grandja 65513f2e3b Polish OAuth2AuthorizedClientArgumentResolver 2019-11-28 09:48:01 -05:00
Joe Grandja 80f256e425 ServerOAuth2AuthorizedClientExchangeFilterFunction works with UnAuthenticatedServerOAuth2AuthorizedClientRepository
Fixes gh-7544
2019-11-28 09:48:01 -05:00
Joe Grandja 07b8aa0b1f DefaultReactiveOAuth2AuthorizedClientManager requires non-null serverWebExchange
Issue gh-7544
2019-11-28 09:48:01 -05:00
Josh Cummings 6ff71d8113
Add OidcUserInfo.Builder
Fixes gh-7593
2019-11-26 16:12:06 -07:00
Josh Cummings c76775159c
Add OidcIdToken.Builder
Fixes gh-7592
2019-11-26 16:12:06 -07:00
Josh Cummings 22ae3eb765
Polish Error-handling Tests
Tests should assert the error message content that Spring Security
controls.

Fixes gh-7647
2019-11-14 16:13:39 -07:00
Rafiullah Hamedy 58ca81d500 Make jwks_uri optional for RFC 8414 and Required for OpenID Connect
OpenID Connect Discovery 1.0 expects the OpenId Provider Metadata 
response is expected to return a valid jwks_uri, however, this field is 
optional in the Authorization Server Metadata response as per RFC 8414
specification.

Fixes gh-7512
2019-11-11 10:34:06 -07:00
Josh Cummings ed02ef9773
Add Test for Malformed Scope
Fixes gh-7563
2019-10-28 16:55:56 -06:00
Josh Cummings 387f765595
Catch Malformed BearerTokenError Descriptions
Fixes gh-7549
2019-10-28 12:30:27 -06:00
Phil Clay 8584b12c8d Make saveAuthorizedClient save the authorized client
Previously, saveAuthorizedClient never actually saved the authorized
client, because it ignored the Mono<Void> returned from
authorizedClientRepository.saveAuthorizedClient.

Now, it does not ignore the Mono<Void> returned from
authorizedClientRepository.saveAuthorizedClient, and includes it in
the stream, and therefore it will properly save the authorized client.

Fixes gh-7546
2019-10-23 12:12:23 -04:00
Joe Grandja 1c53a7859b Fix access token expiry check with clock skew
Fixes gh-7511
2019-10-22 21:54:55 -04:00
Everett Irwin 6ad328f909 Add Clock Skew Tests
Fixes gh-7511

Co-authored-by: Isaac Cummings <josh.cummings+zac@gmail.com>
2019-10-17 20:19:47 -06:00
Josh Cummings adf9769eed
Add ClientRegistration.withClientRegistration
Fixes gh-7486
2019-09-27 14:17:50 -06:00
Josh Cummings 33ba292fed
Resource Server w/ SecurityReactorContextSubscriber
Fixes gh-7423
2019-09-27 11:01:04 -06:00
Joe Grandja 7217bb5eb0 Remove FIXME in OAuth2LoginReactiveAuthenticationManager 2019-09-27 12:13:13 -04:00
Joe Grandja 2a5bd6e719 Align Servlet ExchangeFilterFunction CoreSubscriber
Fixes gh-7422
2019-09-26 16:17:17 -04:00
Joe Grandja d3b7a47ef8 Polish gh-4442 2019-09-25 21:37:31 -04:00
Mark Heckler da9f027fa4 Add nonce to OIDC Authentication Request
Fixes gh-4442
2019-09-25 14:57:54 -04:00
Joe Grandja 9f18c2e21a OAuth2AuthorizationCodeGrantWebFilter matches on registered redirect-uri
Fixes gh-7036
2019-09-24 11:07:36 -04:00
Rob Winch ff54eb878a Use Schedulers.boundedElastic()
Fixes gh-7457
2019-09-19 13:51:06 -05:00
Rob Winch 00f8991fac Merge Remove Redudant Throws
Fixes gh-7301
2019-09-19 11:04:53 -05:00
Josh Cummings 05caf3d8fb
Use Jwt.Builder
Fixes gh-7443
2019-09-16 14:00:25 -06:00
Josh Cummings 40901fe072
Jwt.Builder#notBefore Value Is Instant
Fixes gh-7442
2019-09-16 14:00:25 -06:00
Joe Grandja 88c749263b Polish javadoc for OAuth2AuthorizedClientManager 2019-09-12 19:25:49 -04:00
Josh Cummings 101e0a21a8 Bearer WebClient Filter Authentication Propagation
Fixes: gh-7418
2019-09-11 16:27:21 +01:00
Joe Grandja dcdeab596d DefaultReactiveOAuth2AuthorizedClientManager defaults ServerWebExchange
Fixes gh-7390
2019-09-10 11:40:28 -04:00
Eddú Meléndez 91bf1c782a Make OAuth2User extends OAuth2AuthenticatedPrincipal
Fixes gh-7378
2019-09-09 14:36:35 +01:00
Joe Grandja 93cda94969 Add attributes Consumer to OAuth2AuthorizationContext
Fixes gh-7385
2019-09-06 08:01:59 -04:00
Joe Grandja f7d03858f1 OAuth2AuthorizedClientManager implementation works outside of request
Fixes gh-6780
2019-09-06 06:10:36 -04:00
Joe Grandja a60446836b OAuth2AuthorizeRequest supports attributes
Fixes gh-7341
2019-09-05 21:04:25 -04:00
Rob Winch 2a3bf9b6bb DefaultReactiveOAuth2UserService IOException
Improve handling of IOException to report an
AuthenticationServiceExceptionThere are many reasons that a
DefaultReactiveOAuth2UserService might fail due to an IOException
(i.e. SSLHandshakeException). In those cases we should use a
AuthenticationServiceException so that users are aware there is likely
some misconfiguration.

Fixes gh-7370
2019-09-05 13:31:30 -05:00
Andreas Kluth c46b224ec4 Remove OAuth2AuthorizationRequest when a distributed session is used
Dirties the WebSession by putting the amended AUTHORIZATION_REQUEST map into
the WebSession even it was already in the map. This causes common SessionRepository
implementations like Redis to persist the updated attribute.

Fixes gh-7327

Author: Andreas Kluth <mail@andreaskluth.net>
2019-09-05 09:31:32 -04:00
Josh Cummings 099d49aa40 Simplify currentAuthentication() 2019-09-04 15:33:41 -06:00
Josh Cummings 40ff837713 Polish Server|ServletBearerExchangeFilterFunction
Fixes gh-7353
2019-09-04 15:33:41 -06:00
Joe Grandja e6618d4d50 Removed unused OAuth2AuthorizedClientResolver
Fixes gh-7357
2019-09-04 16:56:40 -04:00
Josh Cummings 833bfd0c22 Add Authorities from Access Token 2019-09-04 14:15:28 -06:00
Josh Cummings aa1c80c801 Grant Individual Authorities From Claims
Fixes gh-7339
2019-09-04 14:15:28 -06:00
Joe Grandja 409285fb3d Fix test
Issue gh-7350
2019-09-04 14:27:01 -04:00
Joe Grandja 0ac8618eac Align DefaultOAuth2AuthorizedClientManager.DefaultContextAttributesMapper
Fixes gh-7350
2019-09-04 14:07:45 -04:00
Joe Grandja dcd997ea43 Add support for Resource Owner Password Credentials grant
Fixes gh-6003
2019-09-04 14:07:45 -04:00
Josh Cummings d7f7e9d4b7 Add Jwt to BearerTokenAuthentication Converter
Fixes gh-7346
2019-09-03 15:58:05 -06:00
Josh Cummings 068f4f0147 Polish Opaque Token
Use OAuth2AuthenticatedPrincipal
Use BearerTokenAuthentication
Update names to reflect more generic approach.

Fixes gh-7344
Fixes gh-7345
2019-09-03 15:58:05 -06:00
Josh Cummings c019507770 Add BearerTokenAuthentication
Fixes gh-7343
2019-09-03 15:58:05 -06:00
Josh Cummings 346b8c2cff Add OAuth2AuthenticatedPrincipal
Fixes gh-7342
2019-09-03 15:58:05 -06:00
Josh Cummings f350988285 Add Servlet and ServerBearerExchangeFilterFunction
Fixes gh-5334
Fixes gh-7284
2019-09-03 15:29:06 -06:00
Bouke Nijhuis dbd1819ea4 add media type jwk-set+json to accept header
Fixes gh-7290
2019-09-03 14:12:50 -04:00
Josh Cummings 5e98b92273
In-memory ClientRegistration Repo Duplicate Check
Fixes gh-7338
2019-09-02 15:30:48 -06:00
kostya05983 f6c650db47
Replace Streams with Loops
First version of replacing streams

fix wwwAuthenticate and codestyle

fix errors in implementation to pass tests

Fix review notes

Remove uneccessary final to align with cb

Short circuit way to authorize

Simplify error message, make code readably

Return error while duplicate key found

Delete check for duplicate, checkstyle issues

Return duplicate error

Fixes gh-7154
2019-09-02 15:30:48 -06:00
Roman Matiushchenko ffc43e02c3 Fix NPE in RequestContextSubscriber
RequestContextSubscriber could cause NPE if Mono/Flux.subscribe()
was invoked outside of Web Context.
In addition it replaced source Context with its own without respect
to old data.
Now Request Context Data is Propagated within holder class and
it is added to existing reactor Context if Holder is not empty.

Fixes gh-7228
2019-08-30 16:49:38 +03:00
Thomas Vitale 505882c944 Consolidate shared code between JwtDecoders and ReactiveJwtDecoders
Extract duplicated code from JwtDecoders and ReactiveJwtDecoders into a
package-private class.

Fixes gh-7263
2019-08-27 09:27:41 -06:00
Lars Grefer 95511331fa fix checkstyle 2019-08-26 22:42:26 +02:00
Eleftheria Stein 323cf9fa92 Polish OAuth2AuthorizedClientResolver 2019-08-26 11:04:19 -04:00
watsta 2c2e8e5f24 Remove internal Optional usage in favor of null checks
Issue gh-7155
2019-08-26 09:27:40 -04:00
Ebert Toribio 2c2d3b5d85 Use ConcurrentHashMap in InMemoryReactiveClientRegistrationRepository
Fixes gh-7299
2019-08-23 20:12:29 -04:00
Joe Grandja bc38a4a3cc Provide configurable Clock in OAuth2AuthorizedClientProvider impls
Fixes gh-7114
2019-08-23 16:43:32 -04:00
Lars Grefer 34dd5fea30 Remove redundant throws clauses
Removes exceptions that are declared in a method's signature but never thrown by the method itself or its implementations/derivatives.
2019-08-23 01:03:54 +02:00
Joe Grandja f0515a021c Polish #7116 2019-08-22 12:01:10 -04:00
Joe Grandja 46756d2e6b Introduce Reactive OAuth2AuthorizedClient Manager/Provider
Fixes gh-7116
2019-08-21 14:12:38 -04:00
Rob Winch a377581951 Fix WebClient Memory Leaks
WebClient exchange requires that the body is consumed. Before this commit
there were places where an Exception was thrown without consuming the body
if the status was not successful. There was also the potential for the
statusCode invocation to throw an Exception of the status code was not
defined which would cause a leak.

This commit ensures that before the Exception is thrown the body is
consumed. It also uses the http status in a way that will ensure an
Exception is not thrown.

Fixes gh-7293
2019-08-21 12:46:11 -05:00
Josh Cummings 0209fbad08 Multiple JWS Algorithms
Fixes: gh-6883
2019-08-20 14:19:59 -04:00
Andreas Falk 766c4434d4 Improve test coverage of JwtGrantedAuthoritiesConverter
Some negative test cases were missing. Added these to have
full test coverage for JwtGrantedAuthoritiesConverter.
2019-08-19 21:14:07 -04:00
Andreas Falk 0a058c973a Add setter for authorities claim name in JwtGrantedAuthoritiesConverter
Prior to this change authorities are always mapped using well known
claim names ('scope' or 'scp'). To change this default behaviour the
converter had to be replaced completely with a custom one.
This commit adds an additional setter to configure a custom
claim name like e.g. 'roles'. Without specifying a custom claim name
the default claims to be used still remains to the well known ones.
This way the authorities can be mapped according to customized
token claims.

Fixes gh-7100
2019-08-19 21:14:07 -04:00
Josh Cummings aa026f8526
Nimbus JWK Set Builders Take SignatureAlgorithm
Fixes gh-7270
2019-08-17 01:10:12 -06:00
Josh Cummings efe8205985
Revert "Nimbus JWK Set Configs Take SignatureAlgorithm"
This reverts commit 9617ff6054.
2019-08-16 17:33:09 -06:00
Josh Cummings 9617ff6054
Nimbus JWK Set Configs Take SignatureAlgorithm
Fixes gh-7270
2019-08-16 14:49:19 -06:00
Andreas Falk b45e57cc40 Add setter for authority prefix in JwtGrantedAuthoritiesConverter
Prior to this change mapped authorities are always prefixed
with default value 'SCOPE_'. To change this default behaviour the
converter had to be replaced completely with a custom one.
This commit adds an additional setter to configure a custom
authority prefix like e.g. 'ROLE_'. Without specifying a custom prefix
the default prefix still remains 'SCOPE_'.
This way existing authorization checks using the standard 'ROLE_'
prefix can be reused without lots of effort.

Fixes gh-7101
2019-08-14 11:25:42 -04:00
Josh Cummings 4ed197e515 Rename OAuth2TokenIntrospectionClient
Renamed to OpaqueTokenIntrospector

Fixes gh-7245
2019-08-12 18:05:28 -04:00
Rob Winch c1db1aad91
Cleanup Code Style Issues
Cleanup Code Style Issues
2019-08-12 13:06:49 -05:00
Lars Grefer ff1070df36 remove redundant modifiers found by checkstyle 2019-08-10 00:18:56 +02:00
Lars Grefer 38de737663 Java 8: Statement lambda can be replaced with expression lambda 2019-08-09 16:59:07 -05:00
Lars Grefer 05f42a4995 Remove unused imports 2019-08-08 14:22:31 -04:00
Lars Grefer 2306d987e9 Cleanup unnecessary boxing 2019-08-06 10:17:38 -04:00
Eddú Meléndez 496579dde2 Add match result for servlet requests
Fixes gh-7148
2019-08-05 19:43:00 -04:00
Eddú Meléndez 2c836a171a Add authenticationFailureHandler method in OAuth2LoginSpec
Allow to customize the failure handler.

Fixes gh-7051
2019-08-05 14:09:11 -05:00