255 Commits

Author SHA1 Message Date
Josh Cummings
ae6fb8c681
Add Deprecated Versions of Original Classes
Issue gh-7349
2022-09-23 16:31:22 -06:00
Josh Cummings
37a160245f
Adjust OAuth2 Resource Server packaging
Closes gh-7349
2022-09-23 16:31:21 -06:00
Josh Cummings
53dbcfd457
Add Deprecated Versions of Original Classes
Issue gh-7349
2022-09-23 12:06:59 -06:00
Steve Riesenberg
3c66ef6305
Change default SecurityContextRepository
Save SecurityContext in request attributes for stateless session
management using RequestAttributeSecurityContextRepository.

Closes gh-11026
2022-09-22 17:31:14 -05:00
Josh Cummings
70460ca009
Adjust OAuth2 Resource Server packaging
Closes gh-7349
2022-09-20 17:44:05 -06:00
Steve Riesenberg
2431dd1103
Merge branch '5.8.x' 2022-09-13 17:38:10 -05:00
Steve Riesenberg
355ef21117
Polish gh-11665 2022-09-13 16:45:39 -05:00
ch4mpy
1efb63387f
Add authentication converter for introspected tokens
Adds configurable authentication converter for resource-servers with
token introspection (something very similar to what
JwtAuthenticationConverter does for resource-servers with JWT decoder).

The new (Reactive)OpaqueTokenAuthenticationConverter is given
responsibility for converting successful token introspection result
into an Authentication instance (which is currently done by a private
methods of OpaqueTokenAuthenticationProvider and
OpaqueTokenReactiveAuthenticationManager).

The default (Reactive)OpaqueTokenAuthenticationConverter, behave the
same as current private convert(OAuth2AuthenticatedPrincipal principal,
String token) methods: map authorities from scope attribute and build a
BearerTokenAuthentication.

Closes gh-11661
2022-09-13 16:45:36 -05:00
Joe Grandja
65db5fa028 Remove deprecations in JwtAuthenticationConverter
Closes gh-11587
2022-07-15 14:43:08 -04:00
Joe Grandja
7df9c6eba5 Use OAuth2Token instead of AbstractOAuth2Token
Closes gh-10959
2022-07-13 16:48:28 -04:00
Joe Grandja
f87df42500 Remove deprecated OAuth2IntrospectionClaimAccessor
Closes gh-11499
2022-07-13 15:51:58 -04:00
Joe Grandja
7b18336c6a Change interface with constants to final class
Closes gh-10960
2022-07-13 15:51:58 -04:00
Josh Cummings
1d72a05c32
Add SecurityContextHolderStrategy to OAuth2
Issue gh-11060
2022-06-27 13:05:12 -06:00
Marcus Da Coregio
806e05855c Replace removed context-related operators
Closes gh-11194
2022-05-10 14:58:02 -03:00
Steve Riesenberg
8aa7029d07 Fix checkstyle errors
Issue gh-10989
2022-03-18 22:53:29 -05:00
Rob Winch
9b380582dc BearerTokenAuthenticationFilter.securityContextRepository
Issue gh-10953
2022-03-09 15:47:34 -06:00
Rob Winch
9db79aa5d7 BearerTokenAuthenticationFilter.securityContextRepository
Issue gh-10953
2022-03-09 15:33:42 -06:00
Josh Cummings
538541bf40 Don't Cache ReactiveJwtDecoders Errors
Closes gh-10444
2021-11-10 17:35:53 -07:00
Josh Cummings
2a6e00ceb0 Don't Cache ReactiveJwtDecoders Errors
Closes gh-10444
2021-11-10 17:33:03 -07:00
Marcus Da Coregio
db60df2f9c Update to Spring Framework 6.0
Issue gh-10360
2021-11-01 09:02:42 -03:00
Rob Winch
f836897190 Checkstyle Fixes
- Javadoc tag ordering
- Private constructors before inner classes

Issue gh-10394
2021-10-18 21:03:35 -05:00
Philipp Neuschwander
6db58cbf8a Conditionally resolve bearer token from request parameters
Before this commit, the DefaultBearerTokenResolver unconditionally
resolved the request parameters to check whether multiple tokens
are present in the request and reject those requests as invalid.

This commit changes this behaviour to resolve the request parameters
only if parameter token is supported for the specific request
according to spec (RFC 6750).

Closes gh-10326
2021-10-13 17:10:50 -05:00
Darren Forsythe
5556b821e3 Check for multiple access tokens per rfc 6750
Check for multiple access tokens on the ServerHttpRequest rather than get get first. If multiples are found throw a OAuth2AuthenticationException.

Closes gh-5708
2021-09-28 08:07:06 -06:00
Ashley Scopes
171522ebf2 Replace usages of deprecated OAuth2IntrospectionClaimNames
Replace all usages of OAuth2IntrospectionClaimNames with
the suggested OAuth2TokenIntrospectionClaimNames.

There does not appear to be any further usages of OAuth2IntrospectionClaimNames,
so it should be suitable for removal when appropriate in accordance with the
deprecation policy.
2021-09-15 15:05:08 -06:00
Ashley Scopes
7ccc915b2b Ensuring consistency in error handling of opaque providers/managers
The OpaqueTokenAuthenticationProvider now propagates the cause of
introspection exceptions in the same way that the reactive
OpaqueTokenReactiveAuthenticationManager does.

Fixed a final field warning on both OpaqueTokenAuthenticationProvider
and OpaqueTokenReactiveAuthenticationManager.
2021-09-15 15:05:08 -06:00
Ashley Scopes
e9d5bbba34 Fixed final field warnings in opaque token introspectors 2021-09-15 15:05:08 -06:00
Ashley Scopes
95c2403968 Fixed potential NullPointerException in opaque token introspection
It appears Nimbus does not check the presence of the Content-Type
header before parsing it in some versions, and since prior to this
commit, the code is .toString()-ing the result, a malformed response
(such as that from a misbehaving cloud gateway) that does not include
a Content-Type would currently throw a NullPointerException.

In addition to this, I have added a little more information to the
log output for this module on the standard and reactive implementations
to aid in debugging authorization/authentication issues much more
easily.
2021-09-15 15:05:08 -06:00
Ashley Scopes
dd43d9198b Amended treatment of OAuth2 'iss' claim
Prior to this commit, the OAuth2 resource server code is failing any issuer
that is not a valid URL. This does not correspond to
https://datatracker.ietf.org/doc/html/rfc7662#page-7 which redirects to
https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.1, defining an
issuer as being a "StringOrURI", which is defined at
https://datatracker.ietf.org/doc/html/rfc7519#page-5 as being
an "arbitrary string value" that "MUST be a URI" only for
"any value containing a ':'".

The issue currently is that an issuer that is not a valid URL may be
provided, which will automatically result in the request being aborted
due to being invalid.

I have removed the check entirely, since while the claim could be invalid,
it is still a response that the OAuth2 introspection endpoint has provided.
In the liklihood that interpretations of this behaviour are different for
the OAuth2 server implementation in use, this currently stops Spring
Security from being able to be used at all without implementing a custom
introspector from scratch.

It is also worth noting that the spec does not specify whether it is
valid to normalize issuers or not if they are valid URLs. This may cause
other unintended side effects as a result of this change, so it is
safer to disable it entirely.
2021-09-15 15:05:08 -06:00
/usr/local/ΕΨΗΕΛΩΝ
4302a86fad
Default principalClaimName to SUB
Closes gh-10214
2021-08-20 15:02:22 -06:00
Josh Cummings
cdc902d04d
Update SpringOpaqueTokenIntrospector
Issue gh-9647
2021-08-12 16:52:02 -06:00
Dávid Kováč
3ff825576b Move and rename OAuth2IntrospectionClaimAccessor/Names
Introduced OAuth2TokenIntrospectionClaimAccessor and OAuth2TokenIntrospectionClaimNames
with copied implementation from OAuth2IntrospectionClaimAccessor/Names.
OAuth2IntrospectionClaimAccessor and OAuth2IntrospectionClaimNames are
now deprecated.

Also method getScopes() returning list of scopes was introduced
and getScope() is now deprecated.

Closes gh-9647
2021-08-12 16:51:33 -06:00
Josh Cummings
6370906ead
Add SpringOpaqueTokenIntrospector
Closes gh-9354
2021-07-26 10:50:50 -06:00
Rob Winch
3e93b024d6 openrewrite Junit Migration 2021-07-09 14:32:52 -05:00
Eleftheria Stein
204a32aba8 Replace < and > with &lt and &gt in Javadoc
Closes gh-9847
2021-06-04 12:26:07 +03:00
Marcus Hert da Coregio
6413511eb6 Update Deprecated Property in Opaque Token Introspectors
Update NimbusOpaqueTokenIntrospector and NimbusReactiveOpaqueTokenIntrospector to use MediaType.APPLICATION_JSON instead of the deprecated MediaType.APPLICATION_JSON_UTF8

Closes gh-9353
2021-05-06 13:47:09 -06:00
Josh Cummings
7ded671858
Refactor AuthenticationDetailsSource support
- BearerTokenAuthenticationFilter exposes this directly, simplifying
configuration and removing a package tangle

Closes gh-9576
2021-04-09 12:41:16 -06:00
Rob Winch
f3f1106624 Update io.spring.javaformat to 0.0.27
Closes gh-9553
2021-04-05 22:23:59 -05:00
Josh Cummings
b774e91734
Polish BearerTokenAuthenticationConverter
Issue gh-8840
2021-03-12 15:05:06 -07:00
Jeongjin Kim
31f310fd22
Add BearerTokenAuthenticationConverter
BearerTokenAuthenticationConverter is introduced to solve the
problem of not being able to change AuthenticationDetailsSource.
BearerTokenAuthenticationFilter delegates to
BearerTokenAuthenticationConverter the task of creating
BearerTokenAuthenticationToken and setting AuthenticationDetailsSource.
BearerTokenAuthenticationConverter is customizable and the customized
converter can be used in BearerTokenAuthenticationFilter.

Closes gh-8840
2021-03-12 15:05:06 -07:00
Josh Cummings
ccb3b02888
Bearer Token Server-side Errors Return 500
Closes gh-9395
2021-02-10 12:35:34 -07:00
Josh Cummings
6499a235b0
Suppress Compiler Warnings 2021-01-08 11:30:28 -07:00
olivier.antoine
808b8c3256 Avoid ClassCastException if principalClaim value is not a String
Closes gh-9212
2020-12-02 16:15:10 -07:00
grimsa
c002c6f9f3
Add ClaimAccessor#hasClaim
The new method is intended to replace ClaimAccessor#containsClaim, the
return type of which was non-primitive Boolean. The existing
containsClaim method is now deprecated.

Closes gh-9201
2020-11-25 11:58:17 -07:00
Josh Cummings
b0d4e500a8
Polish Add DelegatingJwtGrantedAuthoritiesConverter
- Adjusted internal logic to follow DelegatingOAuth2TokenValidator
- Changed JavaDoc to align more closely with
JwtGrantedAuthoritiesConverter
- Polished test names to follow Spring Security naming convention
- Updated test class name to follow Spring Security naming convention
- Polished tests to use TestJwts
- Added tests to address additional use cases

Closes gh-7596
2020-11-24 15:31:07 -07:00
Ropi
97cc119d86
Add DelegatingJwtGrantedAuthoritiesConverter
Closes gh-7596
2020-11-24 14:18:40 -07:00
Josh Cummings
af669a2166
Remove Reliance on BearerTokenResolver
Closes gh-9186
2020-11-12 15:40:55 -07:00
Arvid Ottenberg
d0d655e18d
Allow Customization of Bearer Token Resolution
Closes gh-8535
2020-11-03 14:34:46 -07:00
Josh Cummings
366146ff80
Polish JWT Signature Algorithm Discovery
- Moved support to JwtDecoders and ReactiveJwtDecoders since there is
already the expectation that those classes make an outbound connection
to complete configuration. Since there's no outbound connection when
configuring a NimbusJwtDecoder or NimbusReactiveJwtDecoder, it would be
more intrusive to change that.

Closes gh-7160
2020-10-09 14:17:30 -06:00
Nick Hitchan
290786438c
Add Support for JWK Signature Algorithm Discovery
Issue gh-7160
2020-10-09 13:09:38 -06:00
Phillip Webb
c502312719 Replace expected @Test attributes with AssertJ
Replace JUnit expected @Test attributes with AssertJ calls.
2020-09-22 16:13:51 -06:00