ClientRegistration.Builder defaulted to validating as an
authorization_code registration, though a custom grant type could be in
use. The actual grant_type is now verified for every case.
- Fixed validation in ClientRegistration.Builder
- New test that fails unless the issue is fixed.
Also made OAuth2AuthorizationGrantRequestEntityUtils public to help
implementing custom token response clients.
Fixes gh-7040
These four items, not three items, constitute the auth process:
. A user is prompted to log in with a username and password.
. The system (successfully) verifies that the password is correct for the username.
. The context information for that user is obtained (their list of roles and so on).
. A security context is established for the user
Prior to this change, "HttpBasicSpec#authenticationManager" and
"FormLoginSpec#authenticationManager" were always overridden by
"ServerHttpSecurity#authenticationManager".
This commit makes sure override only happens when custom authentication
manager was not specified.
Fixes: gh-5660
Previously ServerBearerTokenAuthenticationConverter would throw an
IllegalArgumentException when the access token in a URI was empty String.
It also incorrectly provided HttpStatus.BAD_REQUEST for an empty String
access token in the headers.
This changes ServerBearerTokenAuthenticationConverter to consistently
throw a OAuth2AuthenticationException with an HttpStatus.UNAUTHORIZED
Fixes gh-7011
Issue #5856
Commit 385bdfc055854581e9e9f671d11f86a978c27c42
NOTE: This commit 'partially' reverts #5856. Only the ServerWebExchangeMatcher for OAuth2LoginSpec is reverted.
Fixes gh-6890
The 5.1.x code will only update patch versions of Spring Framework, so we
should lock down the Snapshot tests to use the latest 5.1.x changes
Fixes: gh-6880
Previously UnAuthenticatedServerOAuth2AuthorizedClientRepository used a HashMap for storing OAuth2AuthorizedClients.
UnAuthenticatedServerOAuth2AuthorizedClientRepository and its HashMap are potentially accessed by multiple threads without any synchronization.
Since HashMap is not threadsafe itself, this makes UnAuthenticatedServerOAuth2AuthorizedClientRepository not threadsafe.
Now UnAuthenticatedServerOAuth2AuthorizedClientRepository uses a ConcurrentHashMap for storing OAuth2AuthorizedClients.
Since ConcurrentHashMap is threadsafe, UnAuthenticatedServerOAuth2AuthorizedClientRepository will now be threadsafe as well.
Fixes gh-6717
Prior to this change, ServerOAuth2AuthorizedClientExchangeFilterFunction would invoke next.exchange:
- first at assembly time inside the .switchIfEmpty call.
- second at execution time inside .flatMap when a OAuth2AuthorizedClient is found.
While this double-call should not technically cause any functional problems, since the Mono returned by the first call will not be subscribed if a OAuth2AuthorizedClient is found,
it does result in a lot of unnecessary execution and object creation. There is no technical need to invoke the downstream filters twice.
This change defers the call inside .switchIfEmpty, so that it will only execute at execution time if an OAuth2AuthorizedClient is not found.
After this change, ServerOAuth2AuthorizedClientExchangeFilterFunction will not invoke next.exchange at assembly time, and will only execute next.exchange once per subscription at execution time.
Fixes gh-6719
