Commit Graph

783 Commits

Author SHA1 Message Date
Rob Winch f836897190 Checkstyle Fixes
- Javadoc tag ordering
- Private constructors before inner classes

Issue gh-10394
2021-10-18 21:03:35 -05:00
Rob Winch 0c088e278a Update r2dbc-spi-test to 0.8.6.RELEASE
Closes gh-10393
2021-10-18 21:03:12 -05:00
Dávid Kováč 64e9ac995a getClaimAsBoolean() should not be falsy
Closes gh-10148
2021-10-14 11:28:09 -05:00
Philipp Neuschwander 6db58cbf8a Conditionally resolve bearer token from request parameters
Before this commit, the DefaultBearerTokenResolver unconditionally
resolved the request parameters to check whether multiple tokens
are present in the request and reject those requests as invalid.

This commit changes this behaviour to resolve the request parameters
only if parameter token is supported for the specific request
according to spec (RFC 6750).

Closes gh-10326
2021-10-13 17:10:50 -05:00
Dávid Kováč 0299808b05 Add ClaimAccessor tests
Add tests for ClaimAccessor#getClaimAsMap and ClaimAccessor#getClaimAsStringList

Issue gh-10117
2021-10-13 12:53:40 -06:00
Dávid Kováč 125d33e3cf Update JavaDoc according to implementation
Update ClaimAccessor#getClaimAsMap and ClaimAccessor#getClaimAsStringList
JavaDoc according to the current implementation

Closes gh-10117
2021-10-13 12:53:40 -06:00
Joe Grandja e3abaf7999 Add OAuth2ErrorCodes.INVALID_REDIRECT_URI
Closes gh-10370
2021-10-13 14:12:44 -04:00
Steve Riesenberg 3b564b2026 Add parameters converter support to AbstractWebClientReactiveOAuth2AccessTokenResponseClient
This adds support for configuring NimbusJwtClientAuthenticationParametersConverter to any AbstractWebClientReactiveOAuth2AccessTokenResponseClient as an additional parameters converter, which in turns adds reactive support for jwt client authentication.

Closes gh-10146
2021-10-06 13:09:33 -05:00
Steve Riesenberg 9b24f66f1c Implement reactive support for JWT as an Authorization Grant
Closes gh-10147
2021-10-05 16:09:24 -05:00
Marcus Da Coregio 02b2fcc6f0 Restore ManagementConfigurationPlugin
Issue gh-9615
2021-10-05 11:23:29 -03:00
Marcus Da Coregio d2e5f2ae0d Update Gradle to 7.2
Closes gh-9615
2021-10-04 15:19:40 -03:00
Josh Cummings 0f8fa36b93 Fix OAuth2 Error Code
Closes gh-10319
2021-09-28 13:24:51 -06:00
Darren Forsythe 5556b821e3 Check for multiple access tokens per rfc 6750
Check for multiple access tokens on the ServerHttpRequest rather than get get first. If multiples are found throw a OAuth2AuthenticationException.

Closes gh-5708
2021-09-28 08:07:06 -06:00
Joe Grandja 97c949d929 oauth2Login() AuthenticationProvider's preserve root cause exception when rethrown
Closes gh-10228
2021-09-24 10:41:31 -04:00
Joe Grandja 5830fda2fa Introduce JwtEncoder
Closes gh-9208
2021-09-24 05:13:40 -04:00
bishoy basily 860690491a Add setBodyExtractor
Closes gh-10260
2021-09-22 15:32:19 -06:00
Josh Cummings 7b599d4770 Share JWKSource Instances
Closes gh-10312
2021-09-22 13:28:08 -06:00
Josh Cummings 4e7c9bee46 Add Supplier JwtDecoders
Closes gh-9991
2021-09-22 10:58:55 -06:00
Rob Winch 62db842865 Update com.nimbusds to 9.15
Closes gh-10287
2021-09-17 16:40:58 -05:00
Ashley Scopes 171522ebf2 Replace usages of deprecated OAuth2IntrospectionClaimNames
Replace all usages of OAuth2IntrospectionClaimNames with
the suggested OAuth2TokenIntrospectionClaimNames.

There does not appear to be any further usages of OAuth2IntrospectionClaimNames,
so it should be suitable for removal when appropriate in accordance with the
deprecation policy.
2021-09-15 15:05:08 -06:00
Ashley Scopes 7ccc915b2b Ensuring consistency in error handling of opaque providers/managers
The OpaqueTokenAuthenticationProvider now propagates the cause of
introspection exceptions in the same way that the reactive
OpaqueTokenReactiveAuthenticationManager does.

Fixed a final field warning on both OpaqueTokenAuthenticationProvider
and OpaqueTokenReactiveAuthenticationManager.
2021-09-15 15:05:08 -06:00
Ashley Scopes e9d5bbba34 Fixed final field warnings in opaque token introspectors 2021-09-15 15:05:08 -06:00
Ashley Scopes 95c2403968 Fixed potential NullPointerException in opaque token introspection
It appears Nimbus does not check the presence of the Content-Type
header before parsing it in some versions, and since prior to this
commit, the code is .toString()-ing the result, a malformed response
(such as that from a misbehaving cloud gateway) that does not include
a Content-Type would currently throw a NullPointerException.

In addition to this, I have added a little more information to the
log output for this module on the standard and reactive implementations
to aid in debugging authorization/authentication issues much more
easily.
2021-09-15 15:05:08 -06:00
Ashley Scopes dd43d9198b Amended treatment of OAuth2 'iss' claim
Prior to this commit, the OAuth2 resource server code is failing any issuer
that is not a valid URL. This does not correspond to
https://datatracker.ietf.org/doc/html/rfc7662#page-7 which redirects to
https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.1, defining an
issuer as being a "StringOrURI", which is defined at
https://datatracker.ietf.org/doc/html/rfc7519#page-5 as being
an "arbitrary string value" that "MUST be a URI" only for
"any value containing a ':'".

The issue currently is that an issuer that is not a valid URL may be
provided, which will automatically result in the request being aborted
due to being invalid.

I have removed the check entirely, since while the claim could be invalid,
it is still a response that the OAuth2 introspection endpoint has provided.
In the liklihood that interpretations of this behaviour are different for
the OAuth2 server implementation in use, this currently stops Spring
Security from being able to be used at all without implementing a custom
introspector from scratch.

It is also worth noting that the spec does not specify whether it is
valid to normalize issuers or not if they are valid URLs. This may cause
other unintended side effects as a result of this change, so it is
safer to disable it entirely.
2021-09-15 15:05:08 -06:00
Ayush Kohli f1691370d6 Closes gh-10222 2021-09-03 10:58:01 -06:00
/usr/local/ΕΨΗΕΛΩΝ 4302a86fad
Default principalClaimName to SUB
Closes gh-10214
2021-08-20 15:02:22 -06:00
Rujun Chen 9b4ddd7e0a Make AuthorizationGrantTypeConverter support custom grant type
Closes gh-10155
2021-08-19 13:13:20 -04:00
Josh Cummings cdc902d04d
Update SpringOpaqueTokenIntrospector
Issue gh-9647
2021-08-12 16:52:02 -06:00
Dávid Kováč 3ff825576b Move and rename OAuth2IntrospectionClaimAccessor/Names
Introduced OAuth2TokenIntrospectionClaimAccessor and OAuth2TokenIntrospectionClaimNames
with copied implementation from OAuth2IntrospectionClaimAccessor/Names.
OAuth2IntrospectionClaimAccessor and OAuth2IntrospectionClaimNames are
now deprecated.

Also method getScopes() returning list of scopes was introduced
and getScope() is now deprecated.

Closes gh-9647
2021-08-12 16:51:33 -06:00
Josh Cummings b83a4c2985
Polish Preserve Null Claim Values
Preserves the original behavior of ClaimTypeConverter so that its
converters can maintain their default behavior of null meaning that
conversion failed.

Issue gh-10135
2021-08-12 10:22:44 -06:00
Fabio Guenci 30a1c1af7c
Preserve Null Claim Values
Prior to this commit ClaimTypeConverter returned the claims with the
original value for all the claims with a null converted value.
The changes allows ClaimTypeConverter to overwrite and return claims
with converted value of null.

Closes gh-10135
2021-08-12 10:09:34 -06:00
Steve Riesenberg 6d6dc113d8 Add converter for authentication result in OAuth2LoginAuthenticationFilter
Closes gh-10033
2021-08-10 16:50:19 -05:00
Steve Riesenberg fc553bf19a Add gh-10130 to tests 2021-08-09 15:33:54 -05:00
Steve Riesenberg acca3dba69 Polish gh-10131 2021-08-09 11:07:12 -05:00
Vincent Boulaye 044157061f Enable customizing headers in token requests
Adds the possibility to customize the headers of the access token request in AbstractWebClientReactiveOAuth2AccessTokenResponseClient, similarly to what is done in the AbstractOAuth2AuthorizationGrantRequestEntityConverter.

Closes gh-10130
2021-08-09 10:50:37 -05:00
Josh Cummings 6370906ead
Add SpringOpaqueTokenIntrospector
Closes gh-9354
2021-07-26 10:50:50 -06:00
Steve Riesenberg f5266c7511 Remove wildcard from generics in converter
Polish gh-9779
2021-07-12 23:42:47 -05:00
Rob Winch f73f213f50 Remove DependencySetPlugin
Closes gh-10070
2021-07-12 15:31:38 -05:00
Rob Winch 98bd772b67 format 2021-07-09 14:49:47 -05:00
Rob Winch b6ff4d3674 Fix mockito UnnecessaryStubbingException 2021-07-09 14:35:10 -05:00
Rob Winch 3e93b024d6 openrewrite Junit Migration 2021-07-09 14:32:52 -05:00
Rob Winch 14240b2559 Remove Powermock
Powermock does not support JUnit5 yet, so we need to remove it
to support JUnit 5. Additionally, maintaining additional libraries
adds extra work for the team.

Mockito now supports final classes and static method mocking. This
commit replaces Powermock with mockito-inline.

Closes gh-6025
2021-07-08 12:35:32 -05:00
Josh Cummings d4c3cea0e6
Update Copyright
Issue gh-9901
2021-06-17 08:34:31 -06:00
Arnaud Mergey 1d606ccedb fix typo preventing full exception to be displayed in log
closes gh-9901
2021-06-17 08:33:32 -06:00
Steve Riesenberg 807ce30948 Support additional client authentication methods
Closes gh-9780
2021-06-16 15:48:03 -05:00
Steve Riesenberg 0cba0874f3 Handle missing authorization endpoint uri
Closes gh-9795
2021-06-16 15:38:53 -05:00
Steve Riesenberg 9b05afdee8 Remove validation for unsupported grant types
Closes gh-9828
2021-06-16 14:54:33 -05:00
Joe Grandja eb6ed283e0 Jwt client authentication converter detects new key
Closes gh-9814
2021-06-16 12:55:12 -04:00
Steve Riesenberg aed993f3e5
Store one request by default in WebSessionOAuth2ServerAuthorizationRequestRepository
Related to gh-9649
Closes gh-9857
2021-06-15 11:03:30 -05:00
Eleftheria Stein 36805c7192 Revert "Use strict equality for timestamp comparison in JDBC tests"
This reverts commit 09a0670cb6.

This appears to still be an issue in Windows

Issue gh-8782
2021-06-08 10:13:53 +03:00