Commit Graph

517 Commits

Author SHA1 Message Date
Hassene Laaribi 7694aa27cf Add jwt-bearer authorization grant
Closes gh-6053
2021-04-09 06:22:29 -04:00
Joe Grandja 9c97970e26 Add Jwt Client Authentication support
Closes gh-8175
2021-04-08 15:44:33 -04:00
Hassene Laaribi b8e47882aa Fix test to use non-expired token
Closes gh-9506
2021-03-17 17:38:08 +01:00
Josh Cummings 5e5ff27109
Configure Jackson for nanosecond precision
Closes gh-9461
2021-02-17 11:53:36 -07:00
Josh Cummings a0a9718b8b
Use Instant with micro-second precision
Closes gh-9449
2021-02-17 11:31:23 -07:00
Benjamin Faal d85a7cfc4a Make user info response status check error only
Closes gh-9336
2021-01-25 10:02:58 -05:00
tristanessquare 56db058fd0
Fix NullPointerException
- Caused by a malformed WWW-Authenticate value
2021-01-21 16:18:23 -07:00
Joe Grandja 58e3235093 Deprecate ClientAuthenticationMethod BASIC and POST
Closes gh-9220
2020-11-25 15:13:28 -05:00
Joe Grandja c069692ab9 Extract OAuth2Token from AbstractOAuth2Token
Closes gh-5502
2020-11-02 20:35:08 -05:00
Ovidiu Popa 6724e3e514 Provide a R2dbc implementation of ReactiveOuath2AuthorizedClientService
Implement R2dbcReactiveOuath2AuthorizedClientService which persists the
Oauth2AuthorizedClient in a sql database

R2dbcReactiveOuath2AuthorizedClientService is using the spring-r2dbc
module to persist/load Oauth2AuthorizedClient to/from a sql database

Add optional depedency to the spring-r2dbc module
Add test compile dependencies to r2dbc-h2 and r2dbc-test

Closes gh-7890
2020-10-29 15:44:12 -04:00
Craig Andrews 42a787d1f6 Add Postgres sql for JDBC implementation of OAuth2AuthorizedClientService
Postgres doesn't have a BLOB type, but it does have an equivalent BYTEA
type.
This approach and naming convention follows the convention established
in Spring Session JDBC which has sql for each RDBMS with files names in
the pattern *-{dbname}.sql, for example:
schema-db2.sql
schema-derby.sql
schema-h2.sql
schema-mysql.sql
schema-postgresql.sql

See https://github.com/spring-projects/spring-session/tree/2.3.1.RELEASE/spring-session-jdbc/src/main/resources/org/springframework/session/jdbc

Issue gh-9070
2020-10-22 09:56:20 -04:00
Craig Andrews 05dc326389 Use LobHandler in JdbcOAuth2AuthorizedClientService
LobHandler provides an abstraction for handling large binary fields and large text
fields in specific databases, no matter if represented as simple types or
Large OBjects.

Its use provides compatibility with many databases eliminating the need
for custom OAuth2AuthorizedClientParametersMapper and
OAuth2AuthorizedClientRowMapper implementations.

Closes gh-9070
2020-10-22 09:56:20 -04:00
Phillip Webb c502312719 Replace expected @Test attributes with AssertJ
Replace JUnit expected @Test attributes with AssertJ calls.
2020-09-22 16:13:51 -06:00
Phillip Webb 20baa7d409 Replace ExpectedException @Rules with AssertJ
Replace JUnit ExpectedException @Rules with AssertJ calls.
2020-09-22 16:13:51 -06:00
Joe Grandja 6e6d382357 Adapt to WebClient's new exception wrapping
See https://github.com/spring-projects/spring-framework/issues/23842

Closes gh-9031
2020-09-17 12:21:51 -04:00
Rob Winch 2abf59b695 Merge Formatting Changes
Issue gh-8945
2020-08-24 17:33:23 -05:00
Rob Winch dc47a7575e Polish oauth-client format
Issue gh-8945
2020-08-24 17:33:09 -05:00
Phillip Webb 319d3364aa Migrate to assertThatExceptionOfType
Consistently use `assertThatExceptionOfType(...).isThrownBy(...)`
rather than `assertThatCode` or `assertThatThrownBy`. This aligns with
Spring Boot and Spring Cloud. It also allows the convenience
`assertThatIllegalArgument` and `assertThatIllegalState` methods to
be used.

Issue gh-8945
2020-08-24 17:33:09 -05:00
Phillip Webb 2f8e835b11 Use assertThatObject to save casting
Update tests that use `assertThat((Object) ...)` to use the convenience
`assertThatObject(...)` method instead.

Issue gh-8945
2020-08-24 17:33:09 -05:00
Phillip Webb a5aa6b3d7f Remove blank lines from all tests
Remove all blank lines from test code so that test methods are
visually grouped together. This generally helps to make the test
classes easer to scan, however, the "given" / "when" / "then"
blocks used by some tests are now not as easy to discern.

Issue gh-8945
2020-08-24 17:33:09 -05:00
Phillip Webb 7a715f9086 Polish spring-security-oauth2-client main code
Manually polish `spring-security-oauth-cleint` following the
formatting and checkstyle fixes.

Issue gh-8945
2020-08-24 17:33:09 -05:00
Phillip Webb 834dcf5bcf Use consistent ternary expression style
Update all ternary expressions so that the condition is always in
parentheses and "not equals" is used in the test. This helps to bring
consistency across the codebase which makes ternary expression easier
to scan.

For example: `a = (a != null) ? a : b`

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb 8d3f039f76 Reduce method visibility when possible
Reduce method visibility for package private classes when possible.

In the case of abstract classes that will eventually be made public,
the class has been made public and a package-private constructor has
been added.

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb 612fb22a7f Remove unnecessary lambda blocks
Remove lambda blocks that aren't needed and replace instead with a
simple expression.

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb 52f20b5281 Use parenthesis with single-arg lambdas
Use regular expression search/replace to ensure all single-arg
lambdas have parenthesis. This aligns with the style used in Spring
Boot and ensure that single-arg and multi-arg lambdas are consistent.

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb 01d90c9881 Hide utility class constructors
Update all utility classes so that they have a private constructor. This
prevents users from accidentally creating an instance, when they should
just use the static methods directly.

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb ff94944313 Add whitespace after copyright header
Add an additional lines after the copyright header and before the
`package` declaration. This aligns with the style used by Spring
Framework.

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb 8d80166aaf Update exception variable names
Consistently use `ex` for caught exception and `cause` for Exception
constructor arguments.

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb e9130489a6 Remove restricted static imports
Replace static imports with class referenced methods. With the exception
of a few well known static imports, checkstyle restricts the static
imports that a class can use. For example, `asList(...)` would be
replaced with `Arrays.asList(...)`.

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb db55ef4b3b Migrate to BDD Mockito
Migrate Mockito imports to use the BDD variant. This aligns better with
the "given" / "when" / "then" style used in most tests since the "given"
block now uses Mockito `given(...)` calls.

The commit also updates a few tests that were accidentally using
Power Mockito when regular Mockito could be used.

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb 18f3d13363 Fix parenthesis padding issues
Fix a few parenthesis padding issues caused by the formatter.

Issue gh-8945
2020-08-24 17:33:08 -05:00
Phillip Webb a0b9442265 Use consistent modifier order
Update code to use a consistent modifier order that aligns with that
used in the "Java Language specification".

Issue gh-8945
2020-08-24 17:33:07 -05:00
Phillip Webb a2f2e9ac8d Move inner-types so that they are always last
Move all inner-types so that they are consistently the last item
defined. This aligns with the style used by Spring Framework and
the consistency generally makes it easier to scan the source.

Issue gh-8945
2020-08-24 17:33:07 -05:00
Phillip Webb 418c3d6808 Avoid inner assignments
Replace code of the form `a = b =c` with distinct statements. Although
this results in more lines of code, they are usually easier to
understand.

Issue gh-8945
2020-08-24 17:33:07 -05:00
Phillip Webb 9e08b51ed3 Apply code cleanup rules to projects
Apply automated cleanup rules to add `@Override` and `@Deprecated`
annotations and to fix class references used with static methods.

Issue gh-8945
2020-08-24 17:33:07 -05:00
Phillip Webb 8866fa6fb0 Always use 'this.' when accessing fields
Apply an Eclipse cleanup rules to ensure that fields are always accessed
using `this.`. This aligns with the style used by Spring Framework and
helps users quickly see the difference between a local and member
variable.

Issue gh-8945
2020-08-24 17:33:07 -05:00
Phillip Webb 6894ff5d12 Make classes final where possible
Update classes that have private constructors so that they are also
declared final. In a few cases, inner-classes used private constructors
but were subclassed. These have now been changed to have package-private
constructors.

Issue gh-8945
2020-08-24 17:33:07 -05:00
Phillip Webb 37fa94fafc Organize imports
Use "organize imports" from Eclipse to cleanup import statements so
that they appear in a consistent and well defined order.

Issue gh-8945
2020-08-24 17:33:07 -05:00
Phillip Webb 5f64f53c3f Use consistent "@" tag order in Javadoc
Ensure that Javadoc "@" tags appear in a consistent and well defined
order.

Issue gh-8945
2020-08-24 17:33:07 -05:00
Phillip Webb b7fc18262d Reformat code using spring-javaformat
Run `./gradlew format` to reformat all java files.

Issue gh-8945
2020-08-24 17:32:56 -05:00
Martin Vietz 0486d5add9 scopes_supported metadata not used as default in ClientRegistrations
Closes gh-8514
2020-08-20 08:09:54 -04:00
Phillip Webb 27ac046d8a Rename *Test.java -> *Tests.java
Rename a few test classes that accidentally ended in `Test` instead of
`Tests`.

Issue gh-8945
2020-08-10 16:24:44 -05:00
Joe Grandja 8146b1fdda Deprecate CustomUserTypesOAuth2UserService
Closes gh-8908
2020-08-04 13:23:44 -04:00
Joe Grandja 73e550a867 Polish gh-8906 2020-08-04 11:16:26 -04:00
Joe Grandja 0ed919f072 Deprecate ClientRegistration.redirectUriTemplate
Closes gh-8906
2020-08-04 11:03:29 -04:00
Joe Grandja a0c10f2df6 Allow for custom ClientRegistration.clientAuthenticationMethod
Closes gh-8903
2020-08-04 08:48:56 -04:00
Joe Grandja 4e5a304a8a Remove use of Mono.deferWithContext()
Closes gh-8901
2020-08-04 07:26:32 -04:00
Dennis Neufeld de572be8e9 Add OAuth2AuthenticationException to allowlist
Add mixins for
- OAuth2AuthenticationException
- OAuth2Error

Closes gh-8797
2020-07-21 10:14:45 -04:00
Joe Grandja b69bcf88e0 Improve error message when invalid content-type for UserInfo response
Closes gh-8764
2020-07-09 14:10:14 -04:00
Eleftheria Stein eb7b27695d Compare Timestamps up to the millisecond
Issue gh-8782
2020-07-01 11:12:55 +02:00
Joe Grandja da4b626bf1 OAuth2LoginAuthenticationWebFilter should handle OAuth2AuthorizationException
Issue gh-8609
2020-06-09 17:28:21 -04:00
Joe Grandja 4c902bb857 OAuth2AuthorizationCodeGrantWebFilter should handle OAuth2AuthorizationException
Fixes gh-8609
2020-06-09 17:28:21 -04:00
Josh Cummings 1d821a2664
Add Ticket Number to Test
Issue gh-8650
2020-06-05 14:24:49 -06:00
Erik Bakker cd3fd6762f
Don't Consume Request Body
Per the servlet spec, getParameter(name) consumes the request body for
POST requests.

This commit prevents DefaultOAuth2AuthorizationRequestResolver from
consuming the request body for non-Authorization requests.

Closes gh-8650
2020-06-05 14:21:00 -06:00
Parikshit Dutta 28d2cfa14a Add ServerRequestCache setter in OAuth2AuthorizationCodeGrantWebFilter
Fixes gh-8536
2020-06-02 21:54:09 -04:00
Parikshit Dutta 1e211b6558 Add RequestCache setter in OAuth2AuthorizationCodeGrantFilter
Fixes gh-8120
2020-05-15 15:13:15 -04:00
Joe Grandja c1abc9b134 Polish gh-8501 2020-05-15 13:26:09 -04:00
Thomas Vitale 78fa859798 Add issuerUri to ClientRegistration.providerDetails
- Add "issuerUri" attribute to ClientRegistration.providerDetails for OpenID Connect Discovery 1.0 or OAuth 2.0 Authorization Server Metadata.
- Validate OidcIdToken "iss" claim against the OpenID Provider "issuerUri" value.
- Update documentation for client registration: it includes issuer-uri property now.

Fixes gh-8326
2020-05-14 17:13:07 -04:00
Stav Shamir a783fbc641 Support update when saving with JdbcOAuth2AuthorizedClientService
Before this commit, JdbcOAuth2AuthorizedClientService threw DuplicateKeyException when re-authorizing or when authorizing the same user from a different client.

This commit makes JdbcOAuth2AuthorizedClientService's saveAuthorizedClient method consistent with that of InMemoryOAuth2AuthorizedClientService.

Fixes gh-8425
2020-04-29 07:37:57 -04:00
Daniel Furtlehner 32ce94d2dd Validate ID Token Issuer
When the issuer is set in the provider metadata, we validate the iss
field of the ID Token against it.

The OpenID Connect Specification says this must always be validated.
But this would be a breaking change for applications configured other
than with ClientRegistrations.fromOidcIssuerLocation(issuer). This will
be done later with #8326

Fixes gh-8321
2020-04-21 20:30:01 -04:00
Antonin Arquey 5cd1ec7bb3 Add AuthoritiesMapper setter for reactive OAuth2Login
Allow the configuration of a custom GrantedAuthorityMapper for reactive OAuth2Login

- Add setter in OidcAuthorizationCodeReactiveAuthenticationManager
  and OAuth2LoginReactiveAuthenticationManager

- Use an available GrantedAuthorityMapper bean to configure the default ReactiveAuthenticationManager

Fixes gh-8324
2020-04-17 16:55:05 -04:00
Ruby Hartono 71b4248fe6 Improve OAuth2LoginAuthenticationProvider
1. update OAuth2LoginAuthenticationProvider to use
OAuth2AuthorizationCodeAuthenticationProvider
2. apply fix gh-5368 for OAuth2AuthorizationCodeAuthenticationProvider
to return additionalParameters value from accessTokenResponse

Fixes gh-5633
2020-03-30 20:55:43 -04:00
Martin Nemec 75c05d0bb4 OAuth2 ClientRegistrations NPE fix when userinfo missing
Fixes gh-8187
2020-03-27 05:58:28 -04:00
Joe Grandja 46baf38f59 Fix OAuth2AuthorizationRequest additionalParameters/attributes Consumer
Fixes gh-8177
2020-03-24 13:44:09 -04:00
Joe Grandja a9dabf6efb Assign sensible default for OAuth2AuthorizedClientProvider
Fixes gh-8150
2020-03-19 11:44:30 -04:00
Josh Cummings 968ebb194b
baseUrl placeholder for OidcLogoutSuccessHandlers
Fixes gh-7842
2020-02-25 13:35:50 -07:00
Joe Grandja fa73b1397a Add missing @FunctionalInterface in oauth2 modules
Fixes gh-8020
2020-02-24 11:53:30 -05:00
Joe Grandja 3e5600f83f Add configurable Clock in OidcIdTokenValidator
Fixes gh-8019
2020-02-24 11:21:03 -05:00
Joe Grandja 7734d049eb Polish javadoc gh-7511 2020-02-24 10:35:58 -05:00
Joe Grandja d32c98b1c5 Add OAuth2AuthorizeRequest.Builder.principal(String)
Fixes gh-8018
2020-02-24 09:58:38 -05:00
Joe Grandja c6da7b2dd6 Polish gh-7840 2020-02-24 09:28:00 -05:00
Joe Grandja 65b5d468fb Deprecate UnAuthenticatedServerOAuth2AuthorizedClientRepository
Fixes gh-8016
2020-02-24 06:50:58 -05:00
Joe Grandja 4e2f1988f2 Polish Fix package tangles
Issue #7699 #7840
2020-02-24 06:42:00 -05:00
Joe Grandja 82cd203791 Remove unnecessary mocking
Fixes gh-8012
2020-02-23 19:35:16 -05:00
Joe Grandja c8cc9717c9 Fix package tangles
Issue #7699 #7840
2020-02-23 07:24:36 -05:00
Joe Grandja f2da2c56be Resolve OAuth2Error from WWW-Authenticate header
Issue gh-7699
2020-02-21 15:12:58 -05:00
Joe Grandja 69156b741d Add OAuth2Authorization success/failure handlers
Fixes gh-7840
2020-02-21 15:12:58 -05:00
Joe Grandja 23ce717380 Simplify customizing OAuth2AuthorizationRequest
Fixes gh-7696
2020-02-19 06:22:07 -05:00
Joe Grandja de8b558561 Add JDBC implementation of OAuth2AuthorizedClientService
Fixes gh-7655
2020-02-13 12:17:29 -05:00
Joe Grandja 0809c04aa2 OAuth2AuthorizationCodeGrantWebFilter matches on query parameters
Fixes gh-7966
2020-02-10 15:11:04 -05:00
Joe Grandja 3c86239b39 OAuth2AuthorizationCodeGrantFilter matches on query parameters
Fixes gh-7963
2020-02-10 05:13:47 -05:00
Stephane Maldini 851be025e9 Don't force downcasting of RequestAttributes to ServletRequestAttributes
Fixes gh-7952
2020-02-07 20:44:19 -05:00
Joe Grandja 25d029b092 Fix test gh-7873 2020-02-04 12:00:55 -05:00
Joe Grandja 04f3fe8af9 Add Jackson support for oauth2-client session related classes
Fixes gh-4886
2020-02-04 09:01:12 -05:00
Phil Clay e5fca61810 Introduce Reactive OAuth2Authorization success/failure handlers
All ReactiveOAuth2AuthorizedClientManagers now have authorization success/failure handlers.
A success handler is provided to save authorized clients for future requests.
A failure handler is provided to remove previously saved authorized clients.

ServerOAuth2AuthorizedClientExchangeFilterFunction also makes use of a
failure handler in the case of unauthorized or forbidden http status code.

The main use cases now handled are
- remove authorized client when an authorization server indicates that a refresh token is no longer valid (when authorization server returns invalid_grant)
- remove authorized client when a resource server indicates that an access token is no longer valid (when resource server returns invalid_token)

Introduced ClientAuthorizationException to capture details needed when removing an authorized client.
All ReactiveOAuth2AccessTokenResponseClients now throw a ClientAuthorizationException on failures.

Created AbstractWebClientReactiveOAuth2AccessTokenResponseClient to unify common logic between all ReactiveOAuth2AccessTokenResponseClients.

Fixes gh-7699
2020-01-16 15:24:55 -05:00
Rob Winch 65981444f1 Use Version Ranges
Fixes gh-7788
2020-01-06 14:46:48 -06:00
Josh Cummings 02f161aba7
Use OidcIdToken.Builder
Issue gh-7592
2019-12-12 07:37:15 -07:00
Phil Clay cffad1be02 Polish #7589
Rename OAuth2AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager to AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager.

Handle empty mono returned from contextAttributesMapper.

Handle empty map returned from contextAttributesMapper.

Fix DefaultContextAttributesMapper so that it doesn't access ServerWebExchange.

Fix unit tests so that they pass.

Use StepVerifier in unit tests, rather than .subscribe().

Fixes gh-7569
2019-12-10 13:59:51 -05:00
Ankur Pathak c29309d744 Reactive Implementation of AuthorizedClientServiceOAuth2AuthorizedClientManager
ReactiveOAuth2AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager is reactive
version of AuthorizedClientServiceOAuth2AuthorizedClientManager

Fixes: gh-7569
2019-12-10 13:59:51 -05:00
Joe Grandja 24500fa3ca Remove redundant validation for redirect-uri
Fixes gh-7706
2019-12-06 11:55:31 -05:00
Josh Cummings bb8706977d
Polish DefaultOAuth2AuthorizedClientManager 2019-12-02 16:05:17 -07:00
Joe Grandja 65513f2e3b Polish OAuth2AuthorizedClientArgumentResolver 2019-11-28 09:48:01 -05:00
Joe Grandja 80f256e425 ServerOAuth2AuthorizedClientExchangeFilterFunction works with UnAuthenticatedServerOAuth2AuthorizedClientRepository
Fixes gh-7544
2019-11-28 09:48:01 -05:00
Joe Grandja 07b8aa0b1f DefaultReactiveOAuth2AuthorizedClientManager requires non-null serverWebExchange
Issue gh-7544
2019-11-28 09:48:01 -05:00
Josh Cummings 22ae3eb765
Polish Error-handling Tests
Tests should assert the error message content that Spring Security
controls.

Fixes gh-7647
2019-11-14 16:13:39 -07:00
Rafiullah Hamedy 58ca81d500 Make jwks_uri optional for RFC 8414 and Required for OpenID Connect
OpenID Connect Discovery 1.0 expects the OpenId Provider Metadata 
response is expected to return a valid jwks_uri, however, this field is 
optional in the Authorization Server Metadata response as per RFC 8414
specification.

Fixes gh-7512
2019-11-11 10:34:06 -07:00
Phil Clay 8584b12c8d Make saveAuthorizedClient save the authorized client
Previously, saveAuthorizedClient never actually saved the authorized
client, because it ignored the Mono<Void> returned from
authorizedClientRepository.saveAuthorizedClient.

Now, it does not ignore the Mono<Void> returned from
authorizedClientRepository.saveAuthorizedClient, and includes it in
the stream, and therefore it will properly save the authorized client.

Fixes gh-7546
2019-10-23 12:12:23 -04:00
Joe Grandja 1c53a7859b Fix access token expiry check with clock skew
Fixes gh-7511
2019-10-22 21:54:55 -04:00
Everett Irwin 6ad328f909 Add Clock Skew Tests
Fixes gh-7511

Co-authored-by: Isaac Cummings <josh.cummings+zac@gmail.com>
2019-10-17 20:19:47 -06:00
Josh Cummings adf9769eed
Add ClientRegistration.withClientRegistration
Fixes gh-7486
2019-09-27 14:17:50 -06:00