- Support has been added for "RFC7636: Proof Key for Code Exchange by OAuth Public Clients" (PKCE, pronounced "pixy") to mitigate against attacks targeting the interception of the authorization code
- PkceParameterNames was added for the 3 additional parameters used by PKCE (i.e. code_verifier, code_challenge, and code_challenge_method)
- Default code_verifier length has been set to 128 characters--the maximum allowed by RFC7636
- ClientAuthenticationMethod.NONE was added to allow clients to request tokens without providing a client secret
Fixes gh-6446
When we used the oauth2Client directive and requested an endpoint that
required client authorization on the authorization server, the
SPRING_SECURITY_SAVED_REQUEST was not persisted, and therefore after
creating the authorized client we were redirected to the root page ("/").
Now we are storing the session attribute and getting redirected back to
the original URI as expected.
Note that the attribute is stored only when a
ClientAuthorizationRequiredException is thrown in the chain, we dont
want to store it as a response to the
/oauth2/authorization/{registrationId} endpoint, since we would end
up in an infinite loop
Fixes gh-6341
This commit ensures that the JwtDecoderFactory is not a private field inside
the Oidc authentication provider by extracting this class and giving the
possibility to customize the way different providers are validated.
Fixes: gh-6379
Once client credentials access token has expired retrieve a new token from the OAuth2 authorization server.
These tokens can't be refreshed because they do not have a refresh token associated with. This is standard behaviour for Oauth 2 client credentails
Fixes gh-5893
The Authorization header was matched for OAuth2
against the "Bearer" keyword in a case sensitive
fashion.
According to RFC 2617, it should be case insensitive
and some oauth clients (including some earlier
versions of spring-security) expect it so.
This is the reactive counterpart to commit
63f2b6094f .
Fixes gh-6195
The Authorization header was matched for OAuth2
against the "Bearer" keyword in a case sensitive
fashion.
According to RFC 2617, it should be case insensitive
and some oauth clients (including some earlier
versions of spring-security) expect it so.
Added the ability to specify a custom WebClient in
WebClientReactiveClientCredentialsTokenResponseClient.
Also added testing to ensure the custom WebClient is not null and is
used.
Fixes: gh-6051
This ensures that the same URL can work for both log in and
authorization code which prevents having to create additional registrations
on the client and potentially on the server (GitHub only allows a single
valid redirect URL).
Fixes: gh-5856
This introduces a hook for users to customize standard Jwt Claim
values in cases where the JWT issuer isn't spec compliant or where the
user needs to add or remove claims.
Fixes: gh-5223
Extract out a private API for shared code between the argument resolver
and WebClient support. This makes it easier to make changes in both
locations. Later we will extract this out so it is not a copy/paste
effort.
Issue: gh-4921
You can now provide the clientRegistrationId and
ServerOAuth2AuthorizedClientExchangeFilterFunction will look up the authorized client automatically.
Issue: gh-4921
A reactive static builder for constructing and configuring a
ReactiveJwtDecoder via an issuer that supports the OIDC Provider
Configuration spec.
Fixes: gh-5649
NimbusReactiveJwtDecoder incorrectly referred in its class-level doc
as being an implementation of JwtDecoder. This has been corrected to
say ReactiveJwtDecoder.
Fixes: gh-5711
This is necessary so that the saving of the authorized client occurs
outside of the ReactiveAuthenticationManager. It will allow for
saving with the ServerWebExchange when ReactiveOAuth2AuthorizedClientRepository
is added.
Issue: gh-5621
- Adding an ServerAuthenticationConverter interface
- Retro-fitting ServerOAuth2LoginAuthenticationTokenConverter,
ServerBearerTokenAuthentivationConverter, ServerFormLoginAuthenticationConverter,
and ServerHttpBasicAuthenticationConverter to implement ServerAuthenticationConverter
- Deprecate existing AuthenticationWebFilter.setAuthenticationConverter
and add overloaded one which takes ServerAuthenticationConverter
Fixes gh-5338
Adding JwtDecoders#fromOidcIssuerLocation which takes an issuer
and derives from it the jwk set uri via a call to
.well-known/openid-configuration
Fixes: gh-5523
Previously there was a tangle between
DefaultOAuth2AuthorizationRequestResolver and
OAuth2AuthorizationRequestRedirectFilter with
AUTHORIZATION_REQUIRED_EXCEPTION_ATTR_NAME
This commit adds a new method that can be used for resolving the
OAuth2AuthorizationRequest when the client registration id is known.
Issue: gh-4911
The current name of createDelegatingJwtValidator is not intuitive. The
name implies it is just creating a DelegatingOAuth2TokenValidator with
no mention that JwtTimestampValidator is being added.
To resolve this, the arguments have been removed and only
JwtTimestampValidator is added. User's needing additional validators can
add the result of this method to DelegatingOAuth2TokenValidator along with
the additional validators they wish to use. The method name has been
renamed to createDefault which now accurately reflects what is created.
There is no need to have JwtValidator at the end of the method since
the method is located in JwtValidators.
The commit also adds createDefaultWithIssuer for creating with a specific issuer.
Issue: gh-5133
This introduces OAuth2TokenValidator which allows the customization of
validation steps that need to be performing when decoding a string
token to a Jwt.
At this point, two validators, JwtTimestampValidator and
JwtIssuerValidator, are available for use.
Fixes: gh-5133
OIDC Provider Configuration is now being used to create more than just
ClientRegistration instances. Also, the endpoint is being addressed in
more contexts than just the client.
To that end, this refactors OidcConfigurationProvider in the config
project to ClientRegistrations in the oauth2-client project.
Fixes: gh-5647
Currently if a state exists, but an undefined state parameter is provided
a NullPointerException occurs.
This commit handles the null value.
Fixes: gh-5599
Renamed OidcReactiveAuthenticationManager to
OidcAuthorizationCodeReactiveAuthenticationManager since it only handles
authorization code flow.
Fixes: gh-5530
To create redirect_uri in OAuth2AuthorizationRequestRedirectWebFilter,
queryParam is included in the current request-based baseUrl.
So when binding to the redirectUriTemplate,
the wrong type of redirect_uri may be created.
Fixed: gh-5520
This section defines three methods of sending bearer access tokens
in resource requests to resource servers.
Clients MUST NOT use more than
one method to transmit the token in each request.
RFC6750 Section 2 Authenticated Requests
https://tools.ietf.org/html/rfc6750#section-2
Add AuthenticationMethod in ClientRegistration UserInfoEndpoint.
Add AuthenticationMethod for OAuth2UserService to get User.
To support the use of the POST method.
https://tools.ietf.org/html/rfc6750#section-2.2
gh-5500
Allows scope of OAuth2 ClientRegistration to be null.
- The scope setting in the RFC document is defined as Optional.
https://tools.ietf.org/html/rfc6749#section-4.1.1
> scope: OPTIONAL.
> The scope of the access request as described by Section 3.3.
- When the client omits the scope parameter,
validation is determined by the authorization server.
https://tools.ietf.org/html/rfc6749#section-3.3
> If the client omits the scope parameter when requesting
authorization, the authorization server MUST either process the
request using a pre-defined default value or fail the request
indicating an invalid scope. The authorization server SHOULD
document its scope requirements and default value (if defined).
Fixes gh-5494
To create redirect_uri in DefaultOAuth2AuthorizationRequestResolver,
queryParam is included in the current request-based baseUrl.
So when binding to the redirectUriTemplate,
the wrong type of redirect_uri may be created.
Fixes gh-5520
A test against the Nimbus library was relying on specific messaging
from Nimbus as well as the JDK, making it brittle.
Now, it simply relies on the messaging that we control.
Issue: gh-4887
It is quite likely we will need to prevent certain Exceptions from being
saved or from triggering a saved request. When we add support for this,
we can now leverage @Transient vs creating a new annotation.
Issue: gh-5481
Introducing initial support for Jwt-Encoded Bearer Token authorization
with remote JWK set signature verification.
High-level features include:
- Accepting bearer tokens as headers and form or query parameters
- Verifying signatures from a remote Jwk set
And:
- A DSL for easy configuration
- A sample to demonstrate usage
Fixes: gh-5128
Fixes: gh-5125
Fixes: gh-5121
Fixes: gh-5130
Fixes: gh-5226
Fixes: gh-5237
When Nimbus fails to parse either a JWK response or a JWT response,
the error message contains information that either should or cannot be
included in a Bearer Token response.
For example, if the response from a JWK endpoint is invalid JSON, then
Nimbus will send the entire response from the authentication server in
the resulting exception message.
This commit captures these exceptions and removes the parsing detail,
replacing it with more generic information about the nature of the
error.
Fixes: gh-5517
Change the TokenType to Serializable
so that the OAuth2AccessToken can be serialized.
(org.springframework.security.oauth2.core.OAuth2AccessToken.TokenType)
Fixes gh-5492
This commit captures and remaps the exception that Nimbus throws
when a PlainJWT is presented to it.
While the surrounding classes are likely only used today by the
oauth2Login flow, since they are public, we'll patch them at this
point for anyone who may be using them directly.
Fixes: gh-5457
This reverts commit 9fe0f50e3c.
The original commit was accidentally pushed prior to PR. We attempted
to revert the commit hoping the PR would open again. This did not work.
We are going to do a Polish commit instead.
Issue: gh-5355
Spring Operator
Stephen Doxsee
Josh Cummings
Rob Winch
Zhanwei Wang
Joe Grandja
Fabien Arrault
Gerardo Roza
Rafael Dominguez
Adrian Javorski
Johnny Lim
Warren Bailey
Eric Deandrea
shraiysh
Nicolas Le Bas
jer051
dperezcabrera
Vedran Pavic
mhyeon.lee