spring-security

mirror of https://github.com/spring-projects/spring-security.git synced 2025-02-24 07:37:50 +00:00

Author	SHA1	Message	Date
Spring Operator	b93528138e	URL Cleanup This commit updates URLs to prefer the https protocol. Redirects are not followed to avoid accidentally expanding intentionally shortened URLs (i.e. if using a URL shortener). # Fixed URLs ## Fixed Success These URLs were switched to an https URL with a 2xx status. While the status was successful, your review is still recommended. * http://www.apache.org/licenses/ with 1 occurrences migrated to: https://www.apache.org/licenses/ ([https](https://www.apache.org/licenses/) result 200). * http://www.apache.org/licenses/LICENSE-2.0 with 2691 occurrences migrated to: https://www.apache.org/licenses/LICENSE-2.0 ([https](https://www.apache.org/licenses/LICENSE-2.0) result 200). * http://www.apache.org/licenses/LICENSE-2.0.html with 2 occurrences migrated to: https://www.apache.org/licenses/LICENSE-2.0.html ([https](https://www.apache.org/licenses/LICENSE-2.0.html) result 200).	2019-03-14 15:46:20 -05:00
Stephen Doxsee	7739a0e91a	Add PKCE OAuth2 client support - Support has been added for "RFC7636: Proof Key for Code Exchange by OAuth Public Clients" (PKCE, pronounced "pixy") to mitigate against attacks targeting the interception of the authorization code - PkceParameterNames was added for the 3 additional parameters used by PKCE (i.e. code_verifier, code_challenge, and code_challenge_method) - Default code_verifier length has been set to 128 characters--the maximum allowed by RFC7636 - ClientAuthenticationMethod.NONE was added to allow clients to request tokens without providing a client secret Fixes gh-6446	2019-02-28 11:38:48 -05:00
Josh Cummings	fba25614bf	Reactive Opaque Token Support Fixes: gh-6513	2019-02-15 15:59:25 -06:00
Rob Winch	752733e8de	Polish WebSessionOAuth2ServerAuthorizationRequestRepository Format Issue: gh-6215	2019-02-15 15:01:11 -06:00
Zhanwei Wang	a60fd43534	Fix OAuth2 Client with Ditributed Session Fixes: gh-6215	2019-02-15 15:01:11 -06:00
Joe Grandja	0c27f64338	ServletOAuth2AuthorizedClientExchangeFilterFunction supports chaining Fixes gh-6483	2019-02-13 11:19:44 -05:00
Fabien Arrault	17e774d8c7	Preserve existing refresh token if new refresh token not returned During an oauth2 refresh if the authorization server doesn't return a new refresh token, preserve the existing one. Fixes: gh-6503	2019-02-07 15:11:23 -05:00
Josh Cummings	ef9c3e4771	Opaque Token Support Fixes: gh-5200	2019-02-07 12:40:12 -07:00
Joe Grandja	594a169798	Introduce OAuth2AuthorizationRequest.attributes Fixes gh-5940	2019-02-07 11:49:17 -05:00
Gerardo Roza	95e0e7243d	Save original request on oauth2Client filter When we used the oauth2Client directive and requested an endpoint that required client authorization on the authorization server, the SPRING_SECURITY_SAVED_REQUEST was not persisted, and therefore after creating the authorized client we were redirected to the root page ("/"). Now we are storing the session attribute and getting redirected back to the original URI as expected. Note that the attribute is stored only when a ClientAuthorizationRequiredException is thrown in the chain, we dont want to store it as a response to the /oauth2/authorization/{registrationId} endpoint, since we would end up in an infinite loop Fixes gh-6341	2019-01-25 09:15:44 -06:00
Joe Grandja	2a867997e2	Polish gh-6415	2019-01-14 13:33:58 -05:00
Rafael Dominguez	fe5f10e9a2	Extract the ID Token JwtDecoderFactory to enable user customization This commit ensures that the JwtDecoderFactory is not a private field inside the Oidc authentication provider by extracting this class and giving the possibility to customize the way different providers are validated. Fixes: gh-6379	2019-01-14 13:33:58 -05:00
Adrian Javorski	dd45a49f02	Update JwtTimestampValidator.java Changed MaxClockSkew variable to clockSkew to simplify the name. Fixes gh-6380	2019-01-14 10:33:38 -07:00
Joe Grandja	f234a5fbdb	ID Token validation supports clock skew Fixes gh-5839	2019-01-09 16:03:13 -05:00
Joe Grandja	d878dbf30e	Polish gh-6349	2019-01-09 10:15:02 -05:00
Rafael Dominguez	057ed616c4	Improve error messages in OidcIdTokenValidator This commit ensures that error messages contain more specific information regarding the reported error. Fixes: gh-6323	2019-01-09 10:15:02 -05:00
Johnny Lim	c94f13a971	Polish tests	2019-01-08 11:16:22 -06:00
Joe Grandja	673a2adf26	Polish oauth2 client ExchangeFilterFunction's Fixes gh-6355	2019-01-07 14:39:25 -05:00
Joe Grandja	993e11dcd3	Polish gh-6127	2019-01-07 13:50:17 -05:00
Warren Bailey	1c9ab9197e	When expired retrieve new Client Credentials token. Once client credentials access token has expired retrieve a new token from the OAuth2 authorization server. These tokens can't be refreshed because they do not have a refresh token associated with. This is standard behaviour for Oauth 2 client credentails Fixes gh-5893	2019-01-07 13:50:17 -05:00
Josh Cummings	d77b12d229	authorization_uri Uses UriComponentsBuilder Because of this, authorization_uri can now be a fully-qualified url. Fixes: gh-5760	2018-12-21 13:23:47 -07:00
Joe Grandja	9c0d78da71	Extract OidcTokenValidator to an OAuth2TokenValidator Fixes gh-5930	2018-12-21 11:06:40 -05:00
Joe Grandja	12f320851d	Set openid scope in OAuth2LoginTests	2018-12-21 09:24:55 -06:00
Joe Grandja	8f4f52edb9	Support configurable JwtDecoder for IdToken verification Fixes gh-5717	2018-12-21 09:24:55 -06:00
Eric Deandrea	0f7dff3774	Introduce ReactiveJwtAuthenticationConverter Some changes based on PR comments Fixes gh-6273	2018-12-17 14:12:53 -07:00
Josh Cummings	1bfa38b1bd	Validate Scopes in ClientRegistrationBuilder Fixes: gh-6256	2018-12-14 10:41:29 -07:00
shraiysh	e25bea2cf7	Author: Shraiysh Vaishay cs17btech11050@iith.ac.in Add WebClientReactiveAuthorizationCodeTokenResponseClient.setWebClient Fixes gh-6182	2018-12-06 11:18:39 -06:00
Josh Cummings	566bc6a6e1	Test OpenID Discovery with Trailing Slash Fixes gh-6234	2018-12-05 10:54:30 -07:00
Nicolas Le Bas	ba8a337f9a	Accept a case-insensitive "Bearer" keyword The Authorization header was matched for OAuth2 against the "Bearer" keyword in a case sensitive fashion. According to RFC 2617, it should be case insensitive and some oauth clients (including some earlier versions of spring-security) expect it so. This is the reactive counterpart to commit 63f2b6094f59cc9ded6a83ac3def4a1726890a8b . Fixes gh-6195	2018-12-02 09:32:27 -05:00
Nicolas Le Bas	63f2b6094f	The "Bearer" keyword should be case-insensitive The Authorization header was matched for OAuth2 against the "Bearer" keyword in a case sensitive fashion. According to RFC 2617, it should be case insensitive and some oauth clients (including some earlier versions of spring-security) expect it so.	2018-11-28 19:34:47 -07:00
jer051	fdc81822ec	Add WebClientReactiveClientCredentialsTokenResponseClient setWebClient Added the ability to specify a custom WebClient in WebClientReactiveClientCredentialsTokenResponseClient. Also added testing to ensure the custom WebClient is not null and is used. Fixes: gh-6051	2018-11-28 15:44:36 -06:00
Josh Cummings	2a8233d035	Remove PowerMock from oauth2-core and oauth2-jose Issue: gh-6025	2018-11-20 14:02:10 -07:00
Josh Cummings	80e13bad41	Remove PowerMock from oauth2-client Issue: gh-6025	2018-11-19 18:09:00 -07:00
Josh Cummings	39933b10ff	Add scopes method to TestOAuth2AccessTokens Issue: gh-6025	2018-11-19 18:06:40 -07:00
dperezcabrera	f6414e9a52	Make InMemory*ClientRegistrationRepository Consistent The previous builders with the list argument were inconsistent with their respective builders of var args.	2018-11-19 15:09:30 -06:00
Rafael Dominguez	e1d68e4f6b	WebClientReactiveClientCredentialsTokenResponseClient.getTokenResponse expects 2xx http status code This ensures that token response is only extracted when ClientResponse has a successful status Fixes: gh-6089	2018-11-19 10:50:33 -06:00
Josh Cummings	1ea73e7d8e	Jwt Decoder Local Key Configuration Adds support for configuring Resource Server DSL with a local public key. Fixes: gh-5131	2018-11-16 13:07:19 -06:00
Rafael Dominguez	75a2c2b729	OAuth2AccessTokenResponseBodyExtractor supports Object values This commit ensures the token response is parsed correctly if the values are not a String. Fixes: gh-6087	2018-11-15 13:23:36 -06:00
Josh Cummings	d28e32b000	NimbusJwtDecoder Builder A Builder to simply common construction patterns for NimbusJwtDecoder Issue: gh-6010	2018-11-14 15:53:47 -06:00
Josh Cummings	fbcf48cea0	Low-level Nimbus Jwt Decoder Introduces a JwtDecoder which takes a raw Nimbus JWTProcessor configuration. Fixes: gh-5648	2018-11-14 15:53:47 -06:00
Josh Cummings	ae74f22e30	Reactive Jwt Claim Set Converter Support Exposes setClaimSetConverter on NimbusReactiveJwtDecoder, lining it up with the same support on NimbusJwtDecoder. Fixes: gh-6015	2018-11-13 15:31:08 -06:00
Josh Cummings	19649db9ce	Leave Issuer As String Since StringOrURI is a valid issuer, MappedJwtClaimSetConverter and JwtIssuerValidator no longer assume it. Issue: gh-6073	2018-11-13 11:39:15 -07:00
Josh Cummings	c70b65c5df	Favor URL.toExternalForm Converts URLs to Strings before comparing them. Uses toString(), which delegates to toExternalForm(). Fixes: gh-6073	2018-11-13 08:20:18 -07:00
Josh Cummings	a32d19ec7d	Polish NimbusReactiveJwtDecoderTests Issue: gh-5650	2018-11-12 15:04:00 -07:00
Joe Grandja	a96893a42a	Remove charset from Accept header in UserInfo request Fixes gh-6017	2018-10-25 12:56:45 -04:00
Vedran Pavic	e1b095df32	Allow in-memory client registration repos to be constructed with a map Fixes gh-5918	2018-10-18 14:07:12 -04:00
Josh Cummings	22bd8f1c1f	Reactive Jwt Authentication Converter Support Fixes: gh-5092	2018-10-15 11:55:12 -05:00
Joe Grandja	07d2e43d7a	Deprecate NimbusAuthorizationCodeTokenResponseClient Fixes gh-5954	2018-10-15 09:01:19 -04:00
Rob Winch	725b3b5482	Fix OAuth2AuthorizationCodeGrantWebFilter works w/ /{action/ Issue: gh-5856	2018-09-20 21:39:09 -05:00
Joe Grandja	9565e90b6e	Remove oauth2-oidc-sdk dependency from oauth2-jose module Fixes gh-5891	2018-09-20 15:20:11 -04:00

1 2 3 4 5 ...

392 Commits