Example 16 with OidcUserRequest
use of org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest in project spring-security by spring-projects.
the class OidcUserServiceTests method loadUserWhenNonStandardScopesAuthorizedAndAccessibleScopesMatchThenUserInfoEndpointRequested.
// gh-6886
@Test
public void loadUserWhenNonStandardScopesAuthorizedAndAccessibleScopesMatchThenUserInfoEndpointRequested() {
// @formatter:off
String userInfoResponse = "{\n" + " \"sub\": \"subject1\",\n" + " \"name\": \"first last\",\n" + " \"given_name\": \"first\",\n" + " \"family_name\": \"last\",\n" + " \"preferred_username\": \"user1\",\n" + " \"email\": \"user1@example.com\"\n" + "}\n";
// @formatter:on
this.server.enqueue(jsonResponse(userInfoResponse));
String userInfoUri = this.server.url("/user").toString();
ClientRegistration clientRegistration = this.clientRegistrationBuilder.userInfoUri(userInfoUri).build();
this.accessToken = TestOAuth2AccessTokens.scopes("scope1", "scope2");
this.userService.setAccessibleScopes(Collections.singleton("scope2"));
OidcUser user = this.userService.loadUser(new OidcUserRequest(clientRegistration, this.accessToken, this.idToken));
assertThat(user.getUserInfo()).isNotNull();
}
Also used :
ClientRegistration(org.springframework.security.oauth2.client.registration.ClientRegistration)
OidcUser(org.springframework.security.oauth2.core.oidc.user.OidcUser)
Test(org.junit.jupiter.api.Test)
Example 17 with OidcUserRequest
use of org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest in project spring-security by spring-projects.
the class OidcUserServiceTests method loadUserWhenTokenContainsScopesThenIndividualScopeAuthorities.
@Test
public void loadUserWhenTokenContainsScopesThenIndividualScopeAuthorities() {
OidcUserService userService = new OidcUserService();
OidcUserRequest request = new OidcUserRequest(TestClientRegistrations.clientRegistration().build(), TestOAuth2AccessTokens.scopes("message:read", "message:write"), TestOidcIdTokens.idToken().build());
OidcUser user = userService.loadUser(request);
assertThat(user.getAuthorities()).hasSize(3);
Iterator<? extends GrantedAuthority> authorities = user.getAuthorities().iterator();
assertThat(authorities.next()).isInstanceOf(OidcUserAuthority.class);
assertThat(authorities.next()).isEqualTo(new SimpleGrantedAuthority("SCOPE_message:read"));
assertThat(authorities.next()).isEqualTo(new SimpleGrantedAuthority("SCOPE_message:write"));
}
Also used :
SimpleGrantedAuthority(org.springframework.security.core.authority.SimpleGrantedAuthority)
OidcUser(org.springframework.security.oauth2.core.oidc.user.OidcUser)
Test(org.junit.jupiter.api.Test)
Example 18 with OidcUserRequest
use of org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest in project spring-security by spring-projects.
the class OAuth2LoginConfigurer method init.
@Override
public void init(B http) throws Exception {
OAuth2LoginAuthenticationFilter authenticationFilter = new OAuth2LoginAuthenticationFilter(OAuth2ClientConfigurerUtils.getClientRegistrationRepository(this.getBuilder()), OAuth2ClientConfigurerUtils.getAuthorizedClientRepository(this.getBuilder()), this.loginProcessingUrl);
this.setAuthenticationFilter(authenticationFilter);
super.loginProcessingUrl(this.loginProcessingUrl);
if (this.loginPage != null) {
// Set custom login page
super.loginPage(this.loginPage);
super.init(http);
} else {
Map<String, String> loginUrlToClientName = this.getLoginLinks();
if (loginUrlToClientName.size() == 1) {
// Setup auto-redirect to provider login page
// when only 1 client is configured
this.updateAuthenticationDefaults();
this.updateAccessDefaults(http);
String providerLoginPage = loginUrlToClientName.keySet().iterator().next();
this.registerAuthenticationEntryPoint(http, this.getLoginEntryPoint(http, providerLoginPage));
} else {
super.init(http);
}
}
OAuth2AccessTokenResponseClient<OAuth2AuthorizationCodeGrantRequest> accessTokenResponseClient = this.tokenEndpointConfig.accessTokenResponseClient;
if (accessTokenResponseClient == null) {
accessTokenResponseClient = new DefaultAuthorizationCodeTokenResponseClient();
}
OAuth2UserService<OAuth2UserRequest, OAuth2User> oauth2UserService = getOAuth2UserService();
OAuth2LoginAuthenticationProvider oauth2LoginAuthenticationProvider = new OAuth2LoginAuthenticationProvider(accessTokenResponseClient, oauth2UserService);
GrantedAuthoritiesMapper userAuthoritiesMapper = this.getGrantedAuthoritiesMapper();
if (userAuthoritiesMapper != null) {
oauth2LoginAuthenticationProvider.setAuthoritiesMapper(userAuthoritiesMapper);
}
http.authenticationProvider(this.postProcess(oauth2LoginAuthenticationProvider));
boolean oidcAuthenticationProviderEnabled = ClassUtils.isPresent("org.springframework.security.oauth2.jwt.JwtDecoder", this.getClass().getClassLoader());
if (oidcAuthenticationProviderEnabled) {
OAuth2UserService<OidcUserRequest, OidcUser> oidcUserService = getOidcUserService();
OidcAuthorizationCodeAuthenticationProvider oidcAuthorizationCodeAuthenticationProvider = new OidcAuthorizationCodeAuthenticationProvider(accessTokenResponseClient, oidcUserService);
JwtDecoderFactory<ClientRegistration> jwtDecoderFactory = this.getJwtDecoderFactoryBean();
if (jwtDecoderFactory != null) {
oidcAuthorizationCodeAuthenticationProvider.setJwtDecoderFactory(jwtDecoderFactory);
}
if (userAuthoritiesMapper != null) {
oidcAuthorizationCodeAuthenticationProvider.setAuthoritiesMapper(userAuthoritiesMapper);
}
http.authenticationProvider(this.postProcess(oidcAuthorizationCodeAuthenticationProvider));
} else {
http.authenticationProvider(new OidcAuthenticationRequestChecker());
}
this.initDefaultLoginFilter(http);
}
Also used :
OAuth2User(org.springframework.security.oauth2.core.user.OAuth2User)
OidcUserRequest(org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest)
OAuth2AuthorizationCodeGrantRequest(org.springframework.security.oauth2.client.endpoint.OAuth2AuthorizationCodeGrantRequest)
OAuth2UserRequest(org.springframework.security.oauth2.client.userinfo.OAuth2UserRequest)
OidcAuthorizationCodeAuthenticationProvider(org.springframework.security.oauth2.client.oidc.authentication.OidcAuthorizationCodeAuthenticationProvider)
GrantedAuthoritiesMapper(org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper)
OidcUser(org.springframework.security.oauth2.core.oidc.user.OidcUser)
ClientRegistration(org.springframework.security.oauth2.client.registration.ClientRegistration)
OAuth2LoginAuthenticationFilter(org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter)
DefaultAuthorizationCodeTokenResponseClient(org.springframework.security.oauth2.client.endpoint.DefaultAuthorizationCodeTokenResponseClient)
OAuth2LoginAuthenticationProvider(org.springframework.security.oauth2.client.authentication.OAuth2LoginAuthenticationProvider)
Example 19 with OidcUserRequest
use of org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest in project spring-security by spring-projects.
the class OAuth2LoginTests method oauth2LoginWhenCustomBeansThenUsed.
@Test
public void oauth2LoginWhenCustomBeansThenUsed() {
this.spring.register(OAuth2LoginWithMultipleClientRegistrations.class, OAuth2LoginWithCustomBeansConfig.class).autowire();
// @formatter:off
WebTestClient webTestClient = WebTestClientBuilder.bindToWebFilters(this.springSecurity).build();
// @formatter:on
OAuth2LoginWithCustomBeansConfig config = this.spring.getContext().getBean(OAuth2LoginWithCustomBeansConfig.class);
OAuth2AuthorizationRequest request = TestOAuth2AuthorizationRequests.request().scope("openid").build();
OAuth2AuthorizationResponse response = TestOAuth2AuthorizationResponses.success().build();
OAuth2AuthorizationExchange exchange = new OAuth2AuthorizationExchange(request, response);
OAuth2AccessToken accessToken = TestOAuth2AccessTokens.scopes("openid");
OAuth2AuthorizationCodeAuthenticationToken token = new OAuth2AuthorizationCodeAuthenticationToken(google, exchange, accessToken);
ServerAuthenticationConverter converter = config.authenticationConverter;
given(converter.convert(any())).willReturn(Mono.just(token));
ServerSecurityContextRepository securityContextRepository = config.securityContextRepository;
given(securityContextRepository.save(any(), any())).willReturn(Mono.empty());
given(securityContextRepository.load(any())).willReturn(authentication(token));
Map<String, Object> additionalParameters = new HashMap<>();
additionalParameters.put(OidcParameterNames.ID_TOKEN, "id-token");
// @formatter:off
OAuth2AccessTokenResponse accessTokenResponse = OAuth2AccessTokenResponse.withToken(accessToken.getTokenValue()).tokenType(accessToken.getTokenType()).scopes(accessToken.getScopes()).additionalParameters(additionalParameters).build();
// @formatter:on
ReactiveOAuth2AccessTokenResponseClient<OAuth2AuthorizationCodeGrantRequest> tokenResponseClient = config.tokenResponseClient;
given(tokenResponseClient.getTokenResponse(any())).willReturn(Mono.just(accessTokenResponse));
OidcUser user = TestOidcUsers.create();
ReactiveOAuth2UserService<OidcUserRequest, OidcUser> userService = config.userService;
given(userService.loadUser(any())).willReturn(Mono.just(user));
// @formatter:off
webTestClient.get().uri("/login/oauth2/code/google").exchange().expectStatus().is3xxRedirection();
// @formatter:on
verify(config.jwtDecoderFactory).createDecoder(any());
verify(tokenResponseClient).getTokenResponse(any());
verify(securityContextRepository).save(any(), any());
}
Also used :
OAuth2AccessTokenResponse(org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse)
OidcUserRequest(org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest)
WebTestClient(org.springframework.test.web.reactive.server.WebTestClient)
HashMap(java.util.HashMap)
OAuth2AuthorizationCodeGrantRequest(org.springframework.security.oauth2.client.endpoint.OAuth2AuthorizationCodeGrantRequest)
OAuth2AuthorizationCodeAuthenticationToken(org.springframework.security.oauth2.client.authentication.OAuth2AuthorizationCodeAuthenticationToken)
OAuth2AuthorizationResponse(org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationResponse)
ServerAuthenticationConverter(org.springframework.security.web.server.authentication.ServerAuthenticationConverter)
OidcUser(org.springframework.security.oauth2.core.oidc.user.OidcUser)
OAuth2AccessToken(org.springframework.security.oauth2.core.OAuth2AccessToken)
OAuth2AuthorizationExchange(org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationExchange)
ServerSecurityContextRepository(org.springframework.security.web.server.context.ServerSecurityContextRepository)
OAuth2AuthorizationRequest(org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest)
Test(org.junit.jupiter.api.Test)
Example 20 with OidcUserRequest
use of org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest in project spring-security by spring-projects.
the class OidcUserService method loadUser.
@Override
public OidcUser loadUser(OidcUserRequest userRequest) throws OAuth2AuthenticationException {
Assert.notNull(userRequest, "userRequest cannot be null");
OidcUserInfo userInfo = null;
if (this.shouldRetrieveUserInfo(userRequest)) {
OAuth2User oauth2User = this.oauth2UserService.loadUser(userRequest);
Map<String, Object> claims = getClaims(userRequest, oauth2User);
userInfo = new OidcUserInfo(claims);
// 1) The sub (subject) Claim MUST always be returned in the UserInfo Response
if (userInfo.getSubject() == null) {
OAuth2Error oauth2Error = new OAuth2Error(INVALID_USER_INFO_RESPONSE_ERROR_CODE);
throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString());
}
// the UserInfo Response values MUST NOT be used.
if (!userInfo.getSubject().equals(userRequest.getIdToken().getSubject())) {
OAuth2Error oauth2Error = new OAuth2Error(INVALID_USER_INFO_RESPONSE_ERROR_CODE);
throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString());
}
}
Set<GrantedAuthority> authorities = new LinkedHashSet<>();
authorities.add(new OidcUserAuthority(userRequest.getIdToken(), userInfo));
OAuth2AccessToken token = userRequest.getAccessToken();
for (String authority : token.getScopes()) {
authorities.add(new SimpleGrantedAuthority("SCOPE_" + authority));
}
return getUser(userRequest, userInfo, authorities);
}
Also used :
LinkedHashSet(java.util.LinkedHashSet)
OAuth2User(org.springframework.security.oauth2.core.user.OAuth2User)
OidcUserAuthority(org.springframework.security.oauth2.core.oidc.user.OidcUserAuthority)
SimpleGrantedAuthority(org.springframework.security.core.authority.SimpleGrantedAuthority)
GrantedAuthority(org.springframework.security.core.GrantedAuthority)
OAuth2Error(org.springframework.security.oauth2.core.OAuth2Error)
OidcUserInfo(org.springframework.security.oauth2.core.oidc.OidcUserInfo)
SimpleGrantedAuthority(org.springframework.security.core.authority.SimpleGrantedAuthority)
OAuth2AccessToken(org.springframework.security.oauth2.core.OAuth2AccessToken)
OAuth2AuthenticationException(org.springframework.security.oauth2.core.OAuth2AuthenticationException)
Aggregations
Test (org.junit.jupiter.api.Test)25
ClientRegistration (org.springframework.security.oauth2.client.registration.ClientRegistration)23
OidcUser (org.springframework.security.oauth2.core.oidc.user.OidcUser)20
OidcUserRequest (org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest)8
OAuth2AccessToken (org.springframework.security.oauth2.core.OAuth2AccessToken)7
OAuth2AuthenticationException (org.springframework.security.oauth2.core.OAuth2AuthenticationException)7
GrantedAuthority (org.springframework.security.core.GrantedAuthority)6
OAuth2AccessTokenResponse (org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse)6
OAuth2AuthorizationRequest (org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest)6
OAuth2AuthorizationResponse (org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationResponse)6
HashMap (java.util.HashMap)5
OAuth2LoginAuthenticationToken (org.springframework.security.oauth2.client.authentication.OAuth2LoginAuthenticationToken)5
OAuth2AuthorizationCodeGrantRequest (org.springframework.security.oauth2.client.endpoint.OAuth2AuthorizationCodeGrantRequest)5
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)4
Base64 (java.util.Base64)4
Map (java.util.Map)4
GrantedAuthoritiesMapper (org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper)4
OAuth2User (org.springframework.security.oauth2.core.user.OAuth2User)4
Arrays (java.util.Arrays)3
Collections (java.util.Collections)3
