Example 1 with OAuth2PasswordGrantRequest
use of org.springframework.security.oauth2.client.endpoint.OAuth2PasswordGrantRequest in project spring-security by spring-projects.
the class DefaultPasswordTokenResponseClient method getTokenResponse.
@Override
public OAuth2AccessTokenResponse getTokenResponse(OAuth2PasswordGrantRequest passwordGrantRequest) {
Assert.notNull(passwordGrantRequest, "passwordGrantRequest cannot be null");
RequestEntity<?> request = this.requestEntityConverter.convert(passwordGrantRequest);
ResponseEntity<OAuth2AccessTokenResponse> response = getResponse(request);
OAuth2AccessTokenResponse tokenResponse = response.getBody();
if (CollectionUtils.isEmpty(tokenResponse.getAccessToken().getScopes())) {
// As per spec, in Section 5.1 Successful Access Token Response
// https://tools.ietf.org/html/rfc6749#section-5.1
// If AccessTokenResponse.scope is empty, then default to the scope
// originally requested by the client in the Token Request
tokenResponse = OAuth2AccessTokenResponse.withResponse(tokenResponse).scopes(passwordGrantRequest.getClientRegistration().getScopes()).build();
}
return tokenResponse;
}
Also used :
OAuth2AccessTokenResponse(org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse)
Example 2 with OAuth2PasswordGrantRequest
use of org.springframework.security.oauth2.client.endpoint.OAuth2PasswordGrantRequest in project spring-security by spring-projects.
the class PasswordOAuth2AuthorizedClientProvider method authorize.
/**
* Attempt to authorize (or re-authorize) the
* {@link OAuth2AuthorizationContext#getClientRegistration() client} in the provided
* {@code context}. Returns {@code null} if authorization (or re-authorization) is not
* supported, e.g. the client's {@link ClientRegistration#getAuthorizationGrantType()
* authorization grant type} is not {@link AuthorizationGrantType#PASSWORD password}
* OR the {@link OAuth2AuthorizationContext#USERNAME_ATTRIBUTE_NAME username} and/or
* {@link OAuth2AuthorizationContext#PASSWORD_ATTRIBUTE_NAME password} attributes are
* not available in the provided {@code context} OR the
* {@link OAuth2AuthorizedClient#getAccessToken() access token} is not expired.
*
* <p>
* The following {@link OAuth2AuthorizationContext#getAttributes() context attributes}
* are supported:
* <ol>
* <li>{@link OAuth2AuthorizationContext#USERNAME_ATTRIBUTE_NAME} (required) - a
* {@code String} value for the resource owner's username</li>
* <li>{@link OAuth2AuthorizationContext#PASSWORD_ATTRIBUTE_NAME} (required) - a
* {@code String} value for the resource owner's password</li>
* </ol>
* @param context the context that holds authorization-specific state for the client
* @return the {@link OAuth2AuthorizedClient} or {@code null} if authorization (or
* re-authorization) is not supported
*/
@Override
@Nullable
public OAuth2AuthorizedClient authorize(OAuth2AuthorizationContext context) {
Assert.notNull(context, "context cannot be null");
ClientRegistration clientRegistration = context.getClientRegistration();
OAuth2AuthorizedClient authorizedClient = context.getAuthorizedClient();
if (!AuthorizationGrantType.PASSWORD.equals(clientRegistration.getAuthorizationGrantType())) {
return null;
}
String username = context.getAttribute(OAuth2AuthorizationContext.USERNAME_ATTRIBUTE_NAME);
String password = context.getAttribute(OAuth2AuthorizationContext.PASSWORD_ATTRIBUTE_NAME);
if (!StringUtils.hasText(username) || !StringUtils.hasText(password)) {
return null;
}
if (authorizedClient != null && !hasTokenExpired(authorizedClient.getAccessToken())) {
// need for re-authorization
return null;
}
if (authorizedClient != null && hasTokenExpired(authorizedClient.getAccessToken()) && authorizedClient.getRefreshToken() != null) {
// RefreshTokenOAuth2AuthorizedClientProvider to handle the refresh
return null;
}
OAuth2PasswordGrantRequest passwordGrantRequest = new OAuth2PasswordGrantRequest(clientRegistration, username, password);
OAuth2AccessTokenResponse tokenResponse = getTokenResponse(clientRegistration, passwordGrantRequest);
return new OAuth2AuthorizedClient(clientRegistration, context.getPrincipal().getName(), tokenResponse.getAccessToken(), tokenResponse.getRefreshToken());
}
Also used :
OAuth2AccessTokenResponse(org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse)
ClientRegistration(org.springframework.security.oauth2.client.registration.ClientRegistration)
OAuth2PasswordGrantRequest(org.springframework.security.oauth2.client.endpoint.OAuth2PasswordGrantRequest)
Nullable(org.springframework.lang.Nullable)
Example 3 with OAuth2PasswordGrantRequest
use of org.springframework.security.oauth2.client.endpoint.OAuth2PasswordGrantRequest in project spring-security by spring-projects.
the class PasswordReactiveOAuth2AuthorizedClientProvider method authorize.
/**
* Attempt to authorize (or re-authorize) the
* {@link OAuth2AuthorizationContext#getClientRegistration() client} in the provided
* {@code context}. Returns an empty {@code Mono} if authorization (or
* re-authorization) is not supported, e.g. the client's
* {@link ClientRegistration#getAuthorizationGrantType() authorization grant type} is
* not {@link AuthorizationGrantType#PASSWORD password} OR the
* {@link OAuth2AuthorizationContext#USERNAME_ATTRIBUTE_NAME username} and/or
* {@link OAuth2AuthorizationContext#PASSWORD_ATTRIBUTE_NAME password} attributes are
* not available in the provided {@code context} OR the
* {@link OAuth2AuthorizedClient#getAccessToken() access token} is not expired.
*
* <p>
* The following {@link OAuth2AuthorizationContext#getAttributes() context attributes}
* are supported:
* <ol>
* <li>{@link OAuth2AuthorizationContext#USERNAME_ATTRIBUTE_NAME} (required) - a
* {@code String} value for the resource owner's username</li>
* <li>{@link OAuth2AuthorizationContext#PASSWORD_ATTRIBUTE_NAME} (required) - a
* {@code String} value for the resource owner's password</li>
* </ol>
* @param context the context that holds authorization-specific state for the client
* @return the {@link OAuth2AuthorizedClient} or an empty {@code Mono} if
* authorization (or re-authorization) is not supported
*/
@Override
public Mono<OAuth2AuthorizedClient> authorize(OAuth2AuthorizationContext context) {
Assert.notNull(context, "context cannot be null");
ClientRegistration clientRegistration = context.getClientRegistration();
OAuth2AuthorizedClient authorizedClient = context.getAuthorizedClient();
if (!AuthorizationGrantType.PASSWORD.equals(clientRegistration.getAuthorizationGrantType())) {
return Mono.empty();
}
String username = context.getAttribute(OAuth2AuthorizationContext.USERNAME_ATTRIBUTE_NAME);
String password = context.getAttribute(OAuth2AuthorizationContext.PASSWORD_ATTRIBUTE_NAME);
if (!StringUtils.hasText(username) || !StringUtils.hasText(password)) {
return Mono.empty();
}
if (authorizedClient != null && !hasTokenExpired(authorizedClient.getAccessToken())) {
// need for re-authorization
return Mono.empty();
}
if (authorizedClient != null && hasTokenExpired(authorizedClient.getAccessToken()) && authorizedClient.getRefreshToken() != null) {
// handle the refresh
return Mono.empty();
}
OAuth2PasswordGrantRequest passwordGrantRequest = new OAuth2PasswordGrantRequest(clientRegistration, username, password);
return Mono.just(passwordGrantRequest).flatMap(this.accessTokenResponseClient::getTokenResponse).onErrorMap(OAuth2AuthorizationException.class, (e) -> new ClientAuthorizationException(e.getError(), clientRegistration.getRegistrationId(), e)).map((tokenResponse) -> new OAuth2AuthorizedClient(clientRegistration, context.getPrincipal().getName(), tokenResponse.getAccessToken(), tokenResponse.getRefreshToken()));
}
Also used :
OAuth2AuthorizationException(org.springframework.security.oauth2.core.OAuth2AuthorizationException)
OAuth2AuthorizationException(org.springframework.security.oauth2.core.OAuth2AuthorizationException)
Mono(reactor.core.publisher.Mono)
ReactiveOAuth2AccessTokenResponseClient(org.springframework.security.oauth2.client.endpoint.ReactiveOAuth2AccessTokenResponseClient)
OAuth2PasswordGrantRequest(org.springframework.security.oauth2.client.endpoint.OAuth2PasswordGrantRequest)
Instant(java.time.Instant)
ClientRegistration(org.springframework.security.oauth2.client.registration.ClientRegistration)
WebClientReactivePasswordTokenResponseClient(org.springframework.security.oauth2.client.endpoint.WebClientReactivePasswordTokenResponseClient)
Duration(java.time.Duration)
Clock(java.time.Clock)
AuthorizationGrantType(org.springframework.security.oauth2.core.AuthorizationGrantType)
OAuth2Token(org.springframework.security.oauth2.core.OAuth2Token)
Assert(org.springframework.util.Assert)
StringUtils(org.springframework.util.StringUtils)
ClientRegistration(org.springframework.security.oauth2.client.registration.ClientRegistration)
OAuth2PasswordGrantRequest(org.springframework.security.oauth2.client.endpoint.OAuth2PasswordGrantRequest)
Example 4 with OAuth2PasswordGrantRequest
use of org.springframework.security.oauth2.client.endpoint.OAuth2PasswordGrantRequest in project spring-security by spring-projects.
the class WebClientReactivePasswordTokenResponseClientTests method getTokenResponseWhenSuccessResponseIncludesScopeThenAccessTokenHasResponseScope.
@Test
public void getTokenResponseWhenSuccessResponseIncludesScopeThenAccessTokenHasResponseScope() throws Exception {
// @formatter:off
String accessTokenSuccessResponse = "{\n" + " \"access_token\": \"access-token-1234\",\n" + " \"token_type\": \"bearer\",\n" + " \"expires_in\": \"3600\",\n" + " \"scope\": \"read\"\n" + "}\n";
// @formatter:on
this.server.enqueue(jsonResponse(accessTokenSuccessResponse));
OAuth2PasswordGrantRequest passwordGrantRequest = new OAuth2PasswordGrantRequest(this.clientRegistrationBuilder.build(), this.username, this.password);
OAuth2AccessTokenResponse accessTokenResponse = this.tokenResponseClient.getTokenResponse(passwordGrantRequest).block();
RecordedRequest recordedRequest = this.server.takeRequest();
String formParameters = recordedRequest.getBody().readUtf8();
assertThat(formParameters).contains("scope=read");
assertThat(accessTokenResponse.getAccessToken().getScopes()).containsExactly("read");
}
Also used :
OAuth2AccessTokenResponse(org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse)
RecordedRequest(okhttp3.mockwebserver.RecordedRequest)
Test(org.junit.jupiter.api.Test)
Example 5 with OAuth2PasswordGrantRequest
use of org.springframework.security.oauth2.client.endpoint.OAuth2PasswordGrantRequest in project spring-security by spring-projects.
the class WebClientReactivePasswordTokenResponseClientTests method getTokenResponseWhenAuthenticationPrivateKeyJwtThenFormParametersAreSent.
@Test
public void getTokenResponseWhenAuthenticationPrivateKeyJwtThenFormParametersAreSent() throws Exception {
// @formatter:off
String accessTokenSuccessResponse = "{\n" + " \"access_token\": \"access-token-1234\",\n" + " \"token_type\": \"bearer\",\n" + " \"expires_in\": \"3600\"\n" + "}\n";
// @formatter:on
this.server.enqueue(jsonResponse(accessTokenSuccessResponse));
// @formatter:off
ClientRegistration clientRegistration = this.clientRegistrationBuilder.clientAuthenticationMethod(ClientAuthenticationMethod.PRIVATE_KEY_JWT).build();
// @formatter:on
// Configure Jwt client authentication converter
JWK jwk = TestJwks.DEFAULT_RSA_JWK;
Function<ClientRegistration, JWK> jwkResolver = (registration) -> jwk;
configureJwtClientAuthenticationConverter(jwkResolver);
OAuth2PasswordGrantRequest passwordGrantRequest = new OAuth2PasswordGrantRequest(clientRegistration, this.username, this.password);
this.tokenResponseClient.getTokenResponse(passwordGrantRequest).block();
RecordedRequest actualRequest = this.server.takeRequest();
assertThat(actualRequest.getHeader(HttpHeaders.AUTHORIZATION)).isNull();
assertThat(actualRequest.getBody().readUtf8()).contains("grant_type=password", "client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer", "client_assertion=");
}
Also used :
ArgumentMatchers.any(org.mockito.ArgumentMatchers.any)
BeforeEach(org.junit.jupiter.api.BeforeEach)
Assertions.assertThat(org.assertj.core.api.Assertions.assertThat)
OAuth2AuthorizationException(org.springframework.security.oauth2.core.OAuth2AuthorizationException)
SecretKeySpec(javax.crypto.spec.SecretKeySpec)
Function(java.util.function.Function)
BDDMockito.given(org.mockito.BDDMockito.given)
ClientAuthenticationMethod(org.springframework.security.oauth2.core.ClientAuthenticationMethod)
MockWebServer(okhttp3.mockwebserver.MockWebServer)
Assertions.assertThatExceptionOfType(org.assertj.core.api.Assertions.assertThatExceptionOfType)
OAuth2AccessToken(org.springframework.security.oauth2.core.OAuth2AccessToken)
TestClientRegistrations(org.springframework.security.oauth2.client.registration.TestClientRegistrations)
Converter(org.springframework.core.convert.converter.Converter)
TestOAuth2AccessTokenResponses(org.springframework.security.oauth2.core.endpoint.TestOAuth2AccessTokenResponses)
TestKeys(org.springframework.security.oauth2.jose.TestKeys)
RecordedRequest(okhttp3.mockwebserver.RecordedRequest)
HttpHeaders(org.springframework.http.HttpHeaders)
TestJwks(org.springframework.security.oauth2.jose.TestJwks)
MediaType(org.springframework.http.MediaType)
HttpMethod(org.springframework.http.HttpMethod)
MultiValueMap(org.springframework.util.MultiValueMap)
Mono(reactor.core.publisher.Mono)
BodyExtractor(org.springframework.web.reactive.function.BodyExtractor)
Instant(java.time.Instant)
OAuth2AccessTokenResponse(org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse)
ClientRegistration(org.springframework.security.oauth2.client.registration.ClientRegistration)
StandardCharsets(java.nio.charset.StandardCharsets)
JWK(com.nimbusds.jose.jwk.JWK)
Mockito.verify(org.mockito.Mockito.verify)
Test(org.junit.jupiter.api.Test)
AfterEach(org.junit.jupiter.api.AfterEach)
ReactiveHttpInputMessage(org.springframework.http.ReactiveHttpInputMessage)
Assertions.assertThatIllegalArgumentException(org.assertj.core.api.Assertions.assertThatIllegalArgumentException)
MockResponse(okhttp3.mockwebserver.MockResponse)
Collections(java.util.Collections)
LinkedMultiValueMap(org.springframework.util.LinkedMultiValueMap)
Mockito.mock(org.mockito.Mockito.mock)
RecordedRequest(okhttp3.mockwebserver.RecordedRequest)
ClientRegistration(org.springframework.security.oauth2.client.registration.ClientRegistration)
JWK(com.nimbusds.jose.jwk.JWK)
Test(org.junit.jupiter.api.Test)
Aggregations
Test (org.junit.jupiter.api.Test)17
ClientRegistration (org.springframework.security.oauth2.client.registration.ClientRegistration)17
OAuth2AccessTokenResponse (org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse)12
RecordedRequest (okhttp3.mockwebserver.RecordedRequest)11
Instant (java.time.Instant)7
HttpHeaders (org.springframework.http.HttpHeaders)7
OAuth2AuthorizationException (org.springframework.security.oauth2.core.OAuth2AuthorizationException)5
JWK (com.nimbusds.jose.jwk.JWK)4
StandardCharsets (java.nio.charset.StandardCharsets)4
Function (java.util.function.Function)4
SecretKeySpec (javax.crypto.spec.SecretKeySpec)4
MockResponse (okhttp3.mockwebserver.MockResponse)4
MockWebServer (okhttp3.mockwebserver.MockWebServer)4
Assertions.assertThat (org.assertj.core.api.Assertions.assertThat)4
Assertions.assertThatExceptionOfType (org.assertj.core.api.Assertions.assertThatExceptionOfType)4
Assertions.assertThatIllegalArgumentException (org.assertj.core.api.Assertions.assertThatIllegalArgumentException)4
AfterEach (org.junit.jupiter.api.AfterEach)4
BeforeEach (org.junit.jupiter.api.BeforeEach)4
HttpMethod (org.springframework.http.HttpMethod)4
MediaType (org.springframework.http.MediaType)4
