Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-02-23 23:31:27 +00:00
Code Issues Packages Projects Releases Wiki Activity
7,857 Commits 33 Branches 337 Tags
Commit Graph

448 Commits

Author SHA1 Message Date
Josh Cummings
a45df2c802 Move OIDC Reactive Packaging 2019-03-19 09:00:46 -06:00
Josh Cummings
8f5493acce Move OIDC Servlet Packaging 2019-03-19 09:00:46 -06:00
Josh Cummings
fba31dfb6a Reactive Oidc RP-Initiated Logout 
Issue: gh-5350
 2019-03-19 09:00:46 -06:00
Josh Cummings
248a8c030b Support for OIDC RP-Initiated Logout 
Fixes: gh-5350
 2019-03-19 09:00:46 -06:00
Josh Cummings
55e8df1efe NimbusReactiveJwtDecoder Takes Reactive Processor 
Fixes: gh-5937
 2019-03-18 12:32:44 -06:00
Josh Cummings
9478abebd2 Internalize Nimbus JwtDecoder Builder 
Issue: gh-6010
 2019-03-18 12:32:44 -06:00
Spring Operator
b93528138e URL Cleanup 
This commit updates URLs to prefer the https protocol. Redirects are not followed to avoid accidentally expanding intentionally shortened URLs (i.e. if using a URL shortener).

# Fixed URLs

## Fixed Success
These URLs were switched to an https URL with a 2xx status. While the status was successful, your review is still recommended.

* http://www.apache.org/licenses/ with 1 occurrences migrated to:
  https://www.apache.org/licenses/ ([https](https://www.apache.org/licenses/) result 200).
* http://www.apache.org/licenses/LICENSE-2.0 with 2691 occurrences migrated to:
  https://www.apache.org/licenses/LICENSE-2.0 ([https](https://www.apache.org/licenses/LICENSE-2.0) result 200).
* http://www.apache.org/licenses/LICENSE-2.0.html with 2 occurrences migrated to:
  https://www.apache.org/licenses/LICENSE-2.0.html ([https](https://www.apache.org/licenses/LICENSE-2.0.html) result 200).
 2019-03-14 15:46:20 -05:00
Stephen Doxsee
7739a0e91a Add PKCE OAuth2 client support 
- Support has been added for "RFC7636: Proof Key for Code Exchange by OAuth Public Clients" (PKCE, pronounced "pixy") to mitigate against attacks targeting the interception of the authorization code
 - PkceParameterNames was added for the 3 additional parameters used by PKCE (i.e. code_verifier, code_challenge, and code_challenge_method)
 - Default code_verifier length has been set to 128 characters--the maximum allowed by RFC7636
 - ClientAuthenticationMethod.NONE was added to allow clients to request tokens without providing a client secret

Fixes gh-6446
 2019-02-28 11:38:48 -05:00
Josh Cummings
fba25614bf Reactive Opaque Token Support 
Fixes: gh-6513
 2019-02-15 15:59:25 -06:00
Rob Winch
752733e8de Polish WebSessionOAuth2ServerAuthorizationRequestRepository Format 
Issue: gh-6215
 2019-02-15 15:01:11 -06:00
Zhanwei Wang
a60fd43534 Fix OAuth2 Client with Ditributed Session 
Fixes: gh-6215
 2019-02-15 15:01:11 -06:00
Joe Grandja
0c27f64338 ServletOAuth2AuthorizedClientExchangeFilterFunction supports chaining 
Fixes gh-6483
 2019-02-13 11:19:44 -05:00
Fabien Arrault
17e774d8c7 Preserve existing refresh token if new refresh token not returned 
During an oauth2 refresh if the authorization server doesn't return a new refresh token, preserve the existing one.

Fixes: gh-6503
 2019-02-07 15:11:23 -05:00
Josh Cummings
ef9c3e4771 Opaque Token Support 
Fixes: gh-5200
 2019-02-07 12:40:12 -07:00
Joe Grandja
594a169798 Introduce OAuth2AuthorizationRequest.attributes 
Fixes gh-5940
 2019-02-07 11:49:17 -05:00
Gerardo Roza
95e0e7243d Save original request on oauth2Client filter 
When we used the oauth2Client directive and requested an endpoint that
required client authorization on the authorization server, the
SPRING_SECURITY_SAVED_REQUEST was not persisted, and therefore after
creating the authorized client we were redirected to the root page ("/").

Now we are storing the session attribute and getting redirected back to
the original URI as expected.

Note that the attribute is stored only when a
ClientAuthorizationRequiredException is thrown in the chain, we dont
want to store it as a response to the
/oauth2/authorization/{registrationId} endpoint, since we would end
up in an infinite loop

Fixes gh-6341
 2019-01-25 09:15:44 -06:00
Joe Grandja
2a867997e2 Polish gh-6415 2019-01-14 13:33:58 -05:00
Rafael Dominguez
fe5f10e9a2 Extract the ID Token JwtDecoderFactory to enable user customization 
This commit ensures that the JwtDecoderFactory is not a private field inside
the Oidc authentication provider by extracting this class and giving the
possibility to customize the way different providers are validated.

Fixes: gh-6379
 2019-01-14 13:33:58 -05:00
Adrian Javorski
dd45a49f02 Update JwtTimestampValidator.java 
Changed MaxClockSkew variable to clockSkew to simplify the name.

Fixes gh-6380
 2019-01-14 10:33:38 -07:00
Joe Grandja
f234a5fbdb ID Token validation supports clock skew 
Fixes gh-5839
 2019-01-09 16:03:13 -05:00
Joe Grandja
d878dbf30e Polish gh-6349 2019-01-09 10:15:02 -05:00
Rafael Dominguez
057ed616c4 Improve error messages in OidcIdTokenValidator 
This commit ensures that error messages contain more specific
information regarding the reported error.

Fixes: gh-6323
 2019-01-09 10:15:02 -05:00
Johnny Lim
c94f13a971 Polish tests 2019-01-08 11:16:22 -06:00
Joe Grandja
673a2adf26 Polish oauth2 client ExchangeFilterFunction's 
Fixes gh-6355
 2019-01-07 14:39:25 -05:00
Joe Grandja
993e11dcd3 Polish gh-6127 2019-01-07 13:50:17 -05:00
Warren Bailey
1c9ab9197e When expired retrieve new Client Credentials token. 
Once client credentials access token has expired retrieve a new token from the OAuth2 authorization server.
These tokens can't be refreshed because they do not have a refresh token associated with. This is standard behaviour for Oauth 2 client credentails

Fixes gh-5893
 2019-01-07 13:50:17 -05:00
Josh Cummings
d77b12d229 authorization_uri Uses UriComponentsBuilder 
Because of this, authorization_uri can now be a fully-qualified url.

Fixes: gh-5760
 2018-12-21 13:23:47 -07:00
Joe Grandja
9c0d78da71 Extract OidcTokenValidator to an OAuth2TokenValidator 
Fixes gh-5930
 2018-12-21 11:06:40 -05:00
Joe Grandja
12f320851d Set openid scope in OAuth2LoginTests 2018-12-21 09:24:55 -06:00
Joe Grandja
8f4f52edb9 Support configurable JwtDecoder for IdToken verification 
Fixes gh-5717
 2018-12-21 09:24:55 -06:00
Eric Deandrea
0f7dff3774 Introduce ReactiveJwtAuthenticationConverter 
Some changes based on PR comments

Fixes gh-6273
 2018-12-17 14:12:53 -07:00
Josh Cummings
1bfa38b1bd
Validate Scopes in ClientRegistrationBuilder 
Fixes: gh-6256
 2018-12-14 10:41:29 -07:00
shraiysh
e25bea2cf7 Author: Shraiysh Vaishay cs17btech11050@iith.ac.in 
Add WebClientReactiveAuthorizationCodeTokenResponseClient.setWebClient

Fixes gh-6182
 2018-12-06 11:18:39 -06:00
Josh Cummings
566bc6a6e1
Test OpenID Discovery with Trailing Slash 
Fixes gh-6234
 2018-12-05 10:54:30 -07:00
Nicolas Le Bas
ba8a337f9a Accept a case-insensitive "Bearer" keyword 
The Authorization header was matched for OAuth2
against the "Bearer" keyword in a case sensitive
fashion.
According to RFC 2617, it should be case insensitive
and some oauth clients (including some earlier
versions of spring-security) expect it so.

This is the reactive counterpart to commit
63f2b6094f59cc9ded6a83ac3def4a1726890a8b .

Fixes gh-6195
 2018-12-02 09:32:27 -05:00
Nicolas Le Bas
63f2b6094f The "Bearer" keyword should be case-insensitive 
The Authorization header was matched for OAuth2
against the "Bearer" keyword in a case sensitive
fashion.
According to RFC 2617, it should be case insensitive
and some oauth clients (including some earlier
versions of spring-security) expect it so.
 2018-11-28 19:34:47 -07:00
jer051
fdc81822ec Add WebClientReactiveClientCredentialsTokenResponseClient setWebClient 
Added the ability to specify a custom WebClient in
WebClientReactiveClientCredentialsTokenResponseClient.
Also added testing to ensure the custom WebClient is not null and is
used.

Fixes: gh-6051
 2018-11-28 15:44:36 -06:00
Josh Cummings
2a8233d035
Remove PowerMock from oauth2-core and oauth2-jose 
Issue: gh-6025
 2018-11-20 14:02:10 -07:00
Josh Cummings
80e13bad41
Remove PowerMock from oauth2-client 
Issue: gh-6025
 2018-11-19 18:09:00 -07:00
Josh Cummings
39933b10ff
Add scopes method to TestOAuth2AccessTokens 
Issue: gh-6025
 2018-11-19 18:06:40 -07:00
dperezcabrera
f6414e9a52 Make InMemory*ClientRegistrationRepository Consistent 
The previous builders with the list argument were inconsistent with their
respective builders of var args.
 2018-11-19 15:09:30 -06:00
Rafael Dominguez
e1d68e4f6b WebClientReactiveClientCredentialsTokenResponseClient.getTokenResponse expects 2xx http status code 
This ensures that token response is only extracted when ClientResponse has a successful status

Fixes: gh-6089
 2018-11-19 10:50:33 -06:00
Josh Cummings
1ea73e7d8e Jwt Decoder Local Key Configuration 
Adds support for configuring Resource Server DSL with a local public
key.

Fixes: gh-5131
 2018-11-16 13:07:19 -06:00
Rafael Dominguez
75a2c2b729 OAuth2AccessTokenResponseBodyExtractor supports Object values 
This commit ensures the token response is parsed correctly if the values are not a String.

Fixes: gh-6087
 2018-11-15 13:23:36 -06:00
Josh Cummings
d28e32b000 NimbusJwtDecoder Builder 
A Builder to simply common construction patterns for NimbusJwtDecoder

Issue: gh-6010
 2018-11-14 15:53:47 -06:00
Josh Cummings
fbcf48cea0 Low-level Nimbus Jwt Decoder 
Introduces a JwtDecoder which takes a raw Nimbus JWTProcessor
configuration.

Fixes: gh-5648
 2018-11-14 15:53:47 -06:00
Josh Cummings
ae74f22e30 Reactive Jwt Claim Set Converter Support 
Exposes setClaimSetConverter on NimbusReactiveJwtDecoder, lining it up
with the same support on NimbusJwtDecoder.

Fixes: gh-6015
 2018-11-13 15:31:08 -06:00
Josh Cummings
19649db9ce
Leave Issuer As String 
Since StringOrURI is a valid issuer, MappedJwtClaimSetConverter and
JwtIssuerValidator no longer assume it.

Issue: gh-6073
 2018-11-13 11:39:15 -07:00
Josh Cummings
c70b65c5df
Favor URL.toExternalForm 
Converts URLs to Strings before comparing them. Uses toString(),
which delegates to toExternalForm().

Fixes: gh-6073
 2018-11-13 08:20:18 -07:00
Josh Cummings
a32d19ec7d
Polish NimbusReactiveJwtDecoderTests 
Issue: gh-5650
 2018-11-12 15:04:00 -07:00