Search in sources :

Example 51 with OAuth2Error

use of org.springframework.security.oauth2.core.OAuth2Error in project spring-security by spring-projects.

the class OidcIdTokenDecoderFactory method buildDecoder.

private NimbusJwtDecoder buildDecoder(ClientRegistration clientRegistration) {
    JwsAlgorithm jwsAlgorithm = this.jwsAlgorithmResolver.apply(clientRegistration);
    if (jwsAlgorithm != null && SignatureAlgorithm.class.isAssignableFrom(jwsAlgorithm.getClass())) {
        // https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
        // 
        // 6. If the ID Token is received via direct communication between the Client
        // and the Token Endpoint (which it is in this flow),
        // the TLS server validation MAY be used to validate the issuer in place of
        // checking the token signature.
        // The Client MUST validate the signature of all other ID Tokens according to
        // JWS [JWS]
        // using the algorithm specified in the JWT alg Header Parameter.
        // The Client MUST use the keys provided by the Issuer.
        // 
        // 7. The alg value SHOULD be the default of RS256 or the algorithm sent by
        // the Client
        // in the id_token_signed_response_alg parameter during Registration.
        String jwkSetUri = clientRegistration.getProviderDetails().getJwkSetUri();
        if (!StringUtils.hasText(jwkSetUri)) {
            OAuth2Error oauth2Error = new OAuth2Error(MISSING_SIGNATURE_VERIFIER_ERROR_CODE, "Failed to find a Signature Verifier for Client Registration: '" + clientRegistration.getRegistrationId() + "'. Check to ensure you have configured the JwkSet URI.", null);
            throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString());
        }
        return NimbusJwtDecoder.withJwkSetUri(jwkSetUri).jwsAlgorithm((SignatureAlgorithm) jwsAlgorithm).build();
    }
    if (jwsAlgorithm != null && MacAlgorithm.class.isAssignableFrom(jwsAlgorithm.getClass())) {
        // https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
        // 
        // 8. If the JWT alg Header Parameter uses a MAC based algorithm such as
        // HS256, HS384, or HS512,
        // the octets of the UTF-8 representation of the client_secret
        // corresponding to the client_id contained in the aud (audience) Claim
        // are used as the key to validate the signature.
        // For MAC based algorithms, the behavior is unspecified if the aud is
        // multi-valued or
        // if an azp value is present that is different than the aud value.
        String clientSecret = clientRegistration.getClientSecret();
        if (!StringUtils.hasText(clientSecret)) {
            OAuth2Error oauth2Error = new OAuth2Error(MISSING_SIGNATURE_VERIFIER_ERROR_CODE, "Failed to find a Signature Verifier for Client Registration: '" + clientRegistration.getRegistrationId() + "'. Check to ensure you have configured the client secret.", null);
            throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString());
        }
        SecretKeySpec secretKeySpec = new SecretKeySpec(clientSecret.getBytes(StandardCharsets.UTF_8), JCA_ALGORITHM_MAPPINGS.get(jwsAlgorithm));
        return NimbusJwtDecoder.withSecretKey(secretKeySpec).macAlgorithm((MacAlgorithm) jwsAlgorithm).build();
    }
    OAuth2Error oauth2Error = new OAuth2Error(MISSING_SIGNATURE_VERIFIER_ERROR_CODE, "Failed to find a Signature Verifier for Client Registration: '" + clientRegistration.getRegistrationId() + "'. Check to ensure you have configured a valid JWS Algorithm: '" + jwsAlgorithm + "'", null);
    throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString());
}
Also used : JwsAlgorithm(org.springframework.security.oauth2.jose.jws.JwsAlgorithm) MacAlgorithm(org.springframework.security.oauth2.jose.jws.MacAlgorithm) SecretKeySpec(javax.crypto.spec.SecretKeySpec) OAuth2Error(org.springframework.security.oauth2.core.OAuth2Error) SignatureAlgorithm(org.springframework.security.oauth2.jose.jws.SignatureAlgorithm) OAuth2AuthenticationException(org.springframework.security.oauth2.core.OAuth2AuthenticationException)

Example 52 with OAuth2Error

use of org.springframework.security.oauth2.core.OAuth2Error in project spring-security by spring-projects.

the class ReactiveOidcIdTokenDecoderFactory method buildDecoder.

private NimbusReactiveJwtDecoder buildDecoder(ClientRegistration clientRegistration) {
    JwsAlgorithm jwsAlgorithm = this.jwsAlgorithmResolver.apply(clientRegistration);
    if (jwsAlgorithm != null && SignatureAlgorithm.class.isAssignableFrom(jwsAlgorithm.getClass())) {
        // https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
        // 
        // 6. If the ID Token is received via direct communication between the Client
        // and the Token Endpoint (which it is in this flow),
        // the TLS server validation MAY be used to validate the issuer in place of
        // checking the token signature.
        // The Client MUST validate the signature of all other ID Tokens according to
        // JWS [JWS]
        // using the algorithm specified in the JWT alg Header Parameter.
        // The Client MUST use the keys provided by the Issuer.
        // 
        // 7. The alg value SHOULD be the default of RS256 or the algorithm sent by
        // the Client
        // in the id_token_signed_response_alg parameter during Registration.
        String jwkSetUri = clientRegistration.getProviderDetails().getJwkSetUri();
        if (!StringUtils.hasText(jwkSetUri)) {
            OAuth2Error oauth2Error = new OAuth2Error(MISSING_SIGNATURE_VERIFIER_ERROR_CODE, "Failed to find a Signature Verifier for Client Registration: '" + clientRegistration.getRegistrationId() + "'. Check to ensure you have configured the JwkSet URI.", null);
            throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString());
        }
        return NimbusReactiveJwtDecoder.withJwkSetUri(jwkSetUri).jwsAlgorithm((SignatureAlgorithm) jwsAlgorithm).build();
    }
    if (jwsAlgorithm != null && MacAlgorithm.class.isAssignableFrom(jwsAlgorithm.getClass())) {
        // https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
        // 
        // 8. If the JWT alg Header Parameter uses a MAC based algorithm such as
        // HS256, HS384, or HS512,
        // the octets of the UTF-8 representation of the client_secret
        // corresponding to the client_id contained in the aud (audience) Claim
        // are used as the key to validate the signature.
        // For MAC based algorithms, the behavior is unspecified if the aud is
        // multi-valued or
        // if an azp value is present that is different than the aud value.
        String clientSecret = clientRegistration.getClientSecret();
        if (!StringUtils.hasText(clientSecret)) {
            OAuth2Error oauth2Error = new OAuth2Error(MISSING_SIGNATURE_VERIFIER_ERROR_CODE, "Failed to find a Signature Verifier for Client Registration: '" + clientRegistration.getRegistrationId() + "'. Check to ensure you have configured the client secret.", null);
            throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString());
        }
        SecretKeySpec secretKeySpec = new SecretKeySpec(clientSecret.getBytes(StandardCharsets.UTF_8), JCA_ALGORITHM_MAPPINGS.get(jwsAlgorithm));
        return NimbusReactiveJwtDecoder.withSecretKey(secretKeySpec).macAlgorithm((MacAlgorithm) jwsAlgorithm).build();
    }
    OAuth2Error oauth2Error = new OAuth2Error(MISSING_SIGNATURE_VERIFIER_ERROR_CODE, "Failed to find a Signature Verifier for Client Registration: '" + clientRegistration.getRegistrationId() + "'. Check to ensure you have configured a valid JWS Algorithm: '" + jwsAlgorithm + "'", null);
    throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString());
}
Also used : JwsAlgorithm(org.springframework.security.oauth2.jose.jws.JwsAlgorithm) MacAlgorithm(org.springframework.security.oauth2.jose.jws.MacAlgorithm) SecretKeySpec(javax.crypto.spec.SecretKeySpec) OAuth2Error(org.springframework.security.oauth2.core.OAuth2Error) SignatureAlgorithm(org.springframework.security.oauth2.jose.jws.SignatureAlgorithm) OAuth2AuthenticationException(org.springframework.security.oauth2.core.OAuth2AuthenticationException)

Example 53 with OAuth2Error

use of org.springframework.security.oauth2.core.OAuth2Error in project spring-security by spring-projects.

the class AuthorizedClientServiceReactiveOAuth2AuthorizedClientManagerTests method authorizeWhenInvalidGrantThenRemoveAuthorizedClient.

@Test
public void authorizeWhenInvalidGrantThenRemoveAuthorizedClient() {
    given(this.clientRegistrationRepository.findByRegistrationId(eq(this.clientRegistration.getRegistrationId()))).willReturn(Mono.just(this.clientRegistration));
    given(this.authorizedClientService.loadAuthorizedClient(any(), any())).willReturn(Mono.empty());
    // @formatter:off
    OAuth2AuthorizeRequest authorizeRequest = OAuth2AuthorizeRequest.withClientRegistrationId(this.clientRegistration.getRegistrationId()).principal(this.principal).build();
    // @formatter:on
    ClientAuthorizationException exception = new ClientAuthorizationException(new OAuth2Error(OAuth2ErrorCodes.INVALID_GRANT, null, null), this.clientRegistration.getRegistrationId());
    given(this.authorizedClientProvider.authorize(any(OAuth2AuthorizationContext.class))).willReturn(Mono.error(exception));
    assertThatExceptionOfType(ClientAuthorizationException.class).isThrownBy(() -> this.authorizedClientManager.authorize(authorizeRequest).block()).isEqualTo(exception);
    verify(this.authorizedClientProvider).authorize(this.authorizationContextCaptor.capture());
    verify(this.contextAttributesMapper).apply(eq(authorizeRequest));
    OAuth2AuthorizationContext authorizationContext = this.authorizationContextCaptor.getValue();
    assertThat(authorizationContext.getClientRegistration()).isEqualTo(this.clientRegistration);
    assertThat(authorizationContext.getAuthorizedClient()).isNull();
    assertThat(authorizationContext.getPrincipal()).isEqualTo(this.principal);
    verify(this.authorizedClientService).removeAuthorizedClient(eq(this.clientRegistration.getRegistrationId()), eq(this.principal.getName()));
    this.removeAuthorizedClientProbe.assertWasSubscribed();
    verify(this.authorizedClientService, never()).saveAuthorizedClient(any(), any());
}
Also used : OAuth2Error(org.springframework.security.oauth2.core.OAuth2Error) Test(org.junit.jupiter.api.Test)

Example 54 with OAuth2Error

use of org.springframework.security.oauth2.core.OAuth2Error in project spring-security by spring-projects.

the class AuthorizedClientServiceOAuth2AuthorizedClientManagerTests method reauthorizeWhenErrorCodeMatchThenRemoveAuthorizedClient.

@Test
public void reauthorizeWhenErrorCodeMatchThenRemoveAuthorizedClient() {
    ClientAuthorizationException authorizationException = new ClientAuthorizationException(new OAuth2Error(OAuth2ErrorCodes.INVALID_GRANT, null, null), this.clientRegistration.getRegistrationId());
    given(this.authorizedClientProvider.authorize(any(OAuth2AuthorizationContext.class))).willThrow(authorizationException);
    OAuth2AuthorizeRequest reauthorizeRequest = OAuth2AuthorizeRequest.withAuthorizedClient(this.authorizedClient).principal(this.principal).build();
    assertThatExceptionOfType(ClientAuthorizationException.class).isThrownBy(() -> this.authorizedClientManager.authorize(reauthorizeRequest)).isEqualTo(authorizationException);
    verify(this.authorizationFailureHandler).onAuthorizationFailure(eq(authorizationException), eq(this.principal), any());
    verify(this.authorizedClientService).removeAuthorizedClient(eq(this.clientRegistration.getRegistrationId()), eq(this.principal.getName()));
}
Also used : OAuth2Error(org.springframework.security.oauth2.core.OAuth2Error) Test(org.junit.jupiter.api.Test)

Example 55 with OAuth2Error

use of org.springframework.security.oauth2.core.OAuth2Error in project spring-security by spring-projects.

the class DefaultOAuth2UserService method loadUser.

@Override
public OAuth2User loadUser(OAuth2UserRequest userRequest) throws OAuth2AuthenticationException {
    Assert.notNull(userRequest, "userRequest cannot be null");
    if (!StringUtils.hasText(userRequest.getClientRegistration().getProviderDetails().getUserInfoEndpoint().getUri())) {
        OAuth2Error oauth2Error = new OAuth2Error(MISSING_USER_INFO_URI_ERROR_CODE, "Missing required UserInfo Uri in UserInfoEndpoint for Client Registration: " + userRequest.getClientRegistration().getRegistrationId(), null);
        throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString());
    }
    String userNameAttributeName = userRequest.getClientRegistration().getProviderDetails().getUserInfoEndpoint().getUserNameAttributeName();
    if (!StringUtils.hasText(userNameAttributeName)) {
        OAuth2Error oauth2Error = new OAuth2Error(MISSING_USER_NAME_ATTRIBUTE_ERROR_CODE, "Missing required \"user name\" attribute name in UserInfoEndpoint for Client Registration: " + userRequest.getClientRegistration().getRegistrationId(), null);
        throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString());
    }
    RequestEntity<?> request = this.requestEntityConverter.convert(userRequest);
    ResponseEntity<Map<String, Object>> response = getResponse(userRequest, request);
    Map<String, Object> userAttributes = response.getBody();
    Set<GrantedAuthority> authorities = new LinkedHashSet<>();
    authorities.add(new OAuth2UserAuthority(userAttributes));
    OAuth2AccessToken token = userRequest.getAccessToken();
    for (String authority : token.getScopes()) {
        authorities.add(new SimpleGrantedAuthority("SCOPE_" + authority));
    }
    return new DefaultOAuth2User(authorities, userAttributes, userNameAttributeName);
}
Also used : LinkedHashSet(java.util.LinkedHashSet) SimpleGrantedAuthority(org.springframework.security.core.authority.SimpleGrantedAuthority) GrantedAuthority(org.springframework.security.core.GrantedAuthority) OAuth2Error(org.springframework.security.oauth2.core.OAuth2Error) OAuth2UserAuthority(org.springframework.security.oauth2.core.user.OAuth2UserAuthority) SimpleGrantedAuthority(org.springframework.security.core.authority.SimpleGrantedAuthority) OAuth2AccessToken(org.springframework.security.oauth2.core.OAuth2AccessToken) DefaultOAuth2User(org.springframework.security.oauth2.core.user.DefaultOAuth2User) OAuth2AuthenticationException(org.springframework.security.oauth2.core.OAuth2AuthenticationException) Map(java.util.Map)

Aggregations

OAuth2Error (org.springframework.security.oauth2.core.OAuth2Error)80 Test (org.junit.jupiter.api.Test)52 OAuth2AuthenticationException (org.springframework.security.oauth2.core.OAuth2AuthenticationException)30 OAuth2AuthorizationException (org.springframework.security.oauth2.core.OAuth2AuthorizationException)19 ClientRegistration (org.springframework.security.oauth2.client.registration.ClientRegistration)16 Authentication (org.springframework.security.core.Authentication)12 OAuth2AuthorizationRequest (org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest)12 OAuth2AuthorizationResponse (org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationResponse)11 Map (java.util.Map)10 Jwt (org.springframework.security.oauth2.jwt.Jwt)10 Assertions.assertThat (org.assertj.core.api.Assertions.assertThat)9 OAuth2AuthorizationContext (org.springframework.security.oauth2.client.OAuth2AuthorizationContext)9 OAuth2AccessToken (org.springframework.security.oauth2.core.OAuth2AccessToken)9 Instant (java.time.Instant)8 ArgumentMatchers.any (org.mockito.ArgumentMatchers.any)8 BDDMockito.given (org.mockito.BDDMockito.given)8 Mockito.mock (org.mockito.Mockito.mock)8 Mockito.verify (org.mockito.Mockito.verify)8 Mono (reactor.core.publisher.Mono)8 Assertions.assertThatExceptionOfType (org.assertj.core.api.Assertions.assertThatExceptionOfType)7