Per the servlet spec, getParameter(name) consumes the request body for
POST requests.
This commit prevents DefaultOAuth2AuthorizationRequestResolver from
consuming the request body for non-Authorization requests.
Closes gh-8650
- Add "issuerUri" attribute to ClientRegistration.providerDetails for OpenID Connect Discovery 1.0 or OAuth 2.0 Authorization Server Metadata.
- Validate OidcIdToken "iss" claim against the OpenID Provider "issuerUri" value.
- Update documentation for client registration: it includes issuer-uri property now.
Fixes gh-8326
Before this commit, JdbcOAuth2AuthorizedClientService threw DuplicateKeyException when re-authorizing or when authorizing the same user from a different client.
This commit makes JdbcOAuth2AuthorizedClientService's saveAuthorizedClient method consistent with that of InMemoryOAuth2AuthorizedClientService.
Fixes gh-8425
When the issuer is set in the provider metadata, we validate the iss
field of the ID Token against it.
The OpenID Connect Specification says this must always be validated.
But this would be a breaking change for applications configured other
than with ClientRegistrations.fromOidcIssuerLocation(issuer). This will
be done later with #8326
Fixes gh-8321
Allow the configuration of a custom GrantedAuthorityMapper for reactive OAuth2Login
- Add setter in OidcAuthorizationCodeReactiveAuthenticationManager
and OAuth2LoginReactiveAuthenticationManager
- Use an available GrantedAuthorityMapper bean to configure the default ReactiveAuthenticationManager
Fixes gh-8324
1. update OAuth2LoginAuthenticationProvider to use
OAuth2AuthorizationCodeAuthenticationProvider
2. apply fix gh-5368 for OAuth2AuthorizationCodeAuthenticationProvider
to return additionalParameters value from accessTokenResponse
Fixes gh-5633
All ReactiveOAuth2AuthorizedClientManagers now have authorization success/failure handlers.
A success handler is provided to save authorized clients for future requests.
A failure handler is provided to remove previously saved authorized clients.
ServerOAuth2AuthorizedClientExchangeFilterFunction also makes use of a
failure handler in the case of unauthorized or forbidden http status code.
The main use cases now handled are
- remove authorized client when an authorization server indicates that a refresh token is no longer valid (when authorization server returns invalid_grant)
- remove authorized client when a resource server indicates that an access token is no longer valid (when resource server returns invalid_token)
Introduced ClientAuthorizationException to capture details needed when removing an authorized client.
All ReactiveOAuth2AccessTokenResponseClients now throw a ClientAuthorizationException on failures.
Created AbstractWebClientReactiveOAuth2AccessTokenResponseClient to unify common logic between all ReactiveOAuth2AccessTokenResponseClients.
Fixes gh-7699
Rename OAuth2AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager to AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager.
Handle empty mono returned from contextAttributesMapper.
Handle empty map returned from contextAttributesMapper.
Fix DefaultContextAttributesMapper so that it doesn't access ServerWebExchange.
Fix unit tests so that they pass.
Use StepVerifier in unit tests, rather than .subscribe().
Fixes gh-7569
ReactiveOAuth2AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager is reactive
version of AuthorizedClientServiceOAuth2AuthorizedClientManager
Fixes: gh-7569
OpenID Connect Discovery 1.0 expects the OpenId Provider Metadata
response is expected to return a valid jwks_uri, however, this field is
optional in the Authorization Server Metadata response as per RFC 8414
specification.
Fixes gh-7512
Previously, saveAuthorizedClient never actually saved the authorized
client, because it ignored the Mono<Void> returned from
authorizedClientRepository.saveAuthorizedClient.
Now, it does not ignore the Mono<Void> returned from
authorizedClientRepository.saveAuthorizedClient, and includes it in
the stream, and therefore it will properly save the authorized client.
Fixes gh-7546
Improve handling of IOException to report an
AuthenticationServiceExceptionThere are many reasons that a
DefaultReactiveOAuth2UserService might fail due to an IOException
(i.e. SSLHandshakeException). In those cases we should use a
AuthenticationServiceException so that users are aware there is likely
some misconfiguration.
Fixes gh-7370
Dirties the WebSession by putting the amended AUTHORIZATION_REQUEST map into
the WebSession even it was already in the map. This causes common SessionRepository
implementations like Redis to persist the updated attribute.
Fixes gh-7327
Author: Andreas Kluth <mail@andreaskluth.net>
First version of replacing streams
fix wwwAuthenticate and codestyle
fix errors in implementation to pass tests
Fix review notes
Remove uneccessary final to align with cb
Short circuit way to authorize
Simplify error message, make code readably
Return error while duplicate key found
Delete check for duplicate, checkstyle issues
Return duplicate error
Fixes gh-7154
Phillip Webb
Martin Vietz
Joe Grandja
Dennis Neufeld
Josh Cummings
Eleftheria Stein
Erik Bakker
Parikshit Dutta
Joe Grandja
Thomas Vitale
Stav Shamir
Daniel Furtlehner
Antonin Arquey
Ruby Hartono
Martin Nemec
Stephane Maldini
Phil Clay
Rob Winch
Ankur Pathak
Rafiullah Hamedy
Everett Irwin
Mark Heckler
Eddú Meléndez
Andreas Kluth
kostya05983