Example 1 with OAuth2TokenClaimsSet
use of org.springframework.security.oauth2.core.OAuth2TokenClaimsSet in project spring-authorization-server by spring-projects.
the class OAuth2AccessTokenGenerator method generate.
@Nullable
@Override
public OAuth2AccessToken generate(OAuth2TokenContext context) {
if (!OAuth2TokenType.ACCESS_TOKEN.equals(context.getTokenType()) || !OAuth2TokenFormat.REFERENCE.equals(context.getRegisteredClient().getTokenSettings().getAccessTokenFormat())) {
return null;
}
String issuer = null;
if (context.getProviderContext() != null) {
issuer = context.getProviderContext().getIssuer();
}
RegisteredClient registeredClient = context.getRegisteredClient();
Instant issuedAt = Instant.now();
Instant expiresAt = issuedAt.plus(registeredClient.getTokenSettings().getAccessTokenTimeToLive());
// @formatter:off
OAuth2TokenClaimsSet.Builder claimsBuilder = OAuth2TokenClaimsSet.builder();
if (StringUtils.hasText(issuer)) {
claimsBuilder.issuer(issuer);
}
claimsBuilder.subject(context.getPrincipal().getName()).audience(Collections.singletonList(registeredClient.getClientId())).issuedAt(issuedAt).expiresAt(expiresAt).notBefore(issuedAt).id(UUID.randomUUID().toString());
if (!CollectionUtils.isEmpty(context.getAuthorizedScopes())) {
claimsBuilder.claim(OAuth2ParameterNames.SCOPE, context.getAuthorizedScopes());
}
if (this.accessTokenCustomizer != null) {
// @formatter:off
OAuth2TokenClaimsContext.Builder accessTokenContextBuilder = OAuth2TokenClaimsContext.with(claimsBuilder).registeredClient(context.getRegisteredClient()).principal(context.getPrincipal()).providerContext(context.getProviderContext()).authorizedScopes(context.getAuthorizedScopes()).tokenType(context.getTokenType()).authorizationGrantType(context.getAuthorizationGrantType());
if (context.getAuthorization() != null) {
accessTokenContextBuilder.authorization(context.getAuthorization());
}
if (context.getAuthorizationGrant() != null) {
accessTokenContextBuilder.authorizationGrant(context.getAuthorizationGrant());
}
// @formatter:on
OAuth2TokenClaimsContext accessTokenContext = accessTokenContextBuilder.build();
this.accessTokenCustomizer.customize(accessTokenContext);
}
OAuth2TokenClaimsSet accessTokenClaimsSet = claimsBuilder.build();
OAuth2AccessToken accessToken = new OAuth2AccessTokenClaims(OAuth2AccessToken.TokenType.BEARER, this.accessTokenGenerator.generateKey(), accessTokenClaimsSet.getIssuedAt(), accessTokenClaimsSet.getExpiresAt(), context.getAuthorizedScopes(), accessTokenClaimsSet.getClaims());
return accessToken;
}
Also used :
OAuth2TokenClaimsSet(org.springframework.security.oauth2.core.OAuth2TokenClaimsSet)
OAuth2AccessToken(org.springframework.security.oauth2.core.OAuth2AccessToken)
Instant(java.time.Instant)
RegisteredClient(org.springframework.security.oauth2.server.authorization.client.RegisteredClient)
Nullable(org.springframework.lang.Nullable)
Example 2 with OAuth2TokenClaimsSet
use of org.springframework.security.oauth2.core.OAuth2TokenClaimsSet in project spring-authorization-server by spring-projects.
the class OAuth2TokenIntrospectionTests method requestWhenObtainReferenceAccessTokenAndIntrospectThenActive.
@Test
public void requestWhenObtainReferenceAccessTokenAndIntrospectThenActive() throws Exception {
this.spring.register(AuthorizationServerConfiguration.class).autowire();
// @formatter:off
TokenSettings tokenSettings = TokenSettings.builder().accessTokenFormat(OAuth2TokenFormat.REFERENCE).build();
RegisteredClient authorizedRegisteredClient = TestRegisteredClients.registeredClient().tokenSettings(tokenSettings).build();
// @formatter:on
this.registeredClientRepository.save(authorizedRegisteredClient);
OAuth2Authorization authorization = TestOAuth2Authorizations.authorization(authorizedRegisteredClient).build();
this.authorizationService.save(authorization);
// @formatter:off
MvcResult mvcResult = this.mvc.perform(post(providerSettings.getTokenEndpoint()).params(getAuthorizationCodeTokenRequestParameters(authorizedRegisteredClient, authorization)).header(HttpHeaders.AUTHORIZATION, getAuthorizationHeader(authorizedRegisteredClient))).andExpect(status().isOk()).andReturn();
// @formatter:on
OAuth2AccessTokenResponse accessTokenResponse = readAccessTokenResponse(mvcResult);
OAuth2AccessToken accessToken = accessTokenResponse.getAccessToken();
RegisteredClient introspectRegisteredClient = TestRegisteredClients.registeredClient2().build();
this.registeredClientRepository.save(introspectRegisteredClient);
// @formatter:off
mvcResult = this.mvc.perform(post(providerSettings.getTokenIntrospectionEndpoint()).params(getTokenIntrospectionRequestParameters(accessToken, OAuth2TokenType.ACCESS_TOKEN)).header(HttpHeaders.AUTHORIZATION, getAuthorizationHeader(introspectRegisteredClient))).andExpect(status().isOk()).andReturn();
// @formatter:on
OAuth2TokenIntrospection tokenIntrospectionResponse = readTokenIntrospectionResponse(mvcResult);
ArgumentCaptor<OAuth2TokenClaimsContext> accessTokenClaimsContextCaptor = ArgumentCaptor.forClass(OAuth2TokenClaimsContext.class);
verify(accessTokenCustomizer).customize(accessTokenClaimsContextCaptor.capture());
OAuth2TokenClaimsContext accessTokenClaimsContext = accessTokenClaimsContextCaptor.getValue();
OAuth2TokenClaimsSet accessTokenClaims = accessTokenClaimsContext.getClaims().build();
assertThat(tokenIntrospectionResponse.isActive()).isTrue();
assertThat(tokenIntrospectionResponse.getClientId()).isEqualTo(authorizedRegisteredClient.getClientId());
assertThat(tokenIntrospectionResponse.getUsername()).isNull();
assertThat(tokenIntrospectionResponse.getIssuedAt()).isBetween(accessTokenClaims.getIssuedAt().minusSeconds(1), accessTokenClaims.getIssuedAt().plusSeconds(1));
assertThat(tokenIntrospectionResponse.getExpiresAt()).isBetween(accessTokenClaims.getExpiresAt().minusSeconds(1), accessTokenClaims.getExpiresAt().plusSeconds(1));
List<String> scopes = new ArrayList<>(accessTokenClaims.getClaim(OAuth2ParameterNames.SCOPE));
assertThat(tokenIntrospectionResponse.getScopes()).containsExactlyInAnyOrderElementsOf(scopes);
assertThat(tokenIntrospectionResponse.getTokenType()).isEqualTo(accessToken.getTokenType().getValue());
assertThat(tokenIntrospectionResponse.getNotBefore()).isBetween(accessTokenClaims.getNotBefore().minusSeconds(1), accessTokenClaims.getNotBefore().plusSeconds(1));
assertThat(tokenIntrospectionResponse.getSubject()).isEqualTo(accessTokenClaims.getSubject());
assertThat(tokenIntrospectionResponse.getAudience()).containsExactlyInAnyOrderElementsOf(accessTokenClaims.getAudience());
assertThat(tokenIntrospectionResponse.getIssuer()).isEqualTo(accessTokenClaims.getIssuer());
assertThat(tokenIntrospectionResponse.getId()).isEqualTo(accessTokenClaims.getId());
}
Also used :
OAuth2AccessTokenResponse(org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse)
OAuth2TokenIntrospection(org.springframework.security.oauth2.core.OAuth2TokenIntrospection)
OAuth2TokenClaimsContext(org.springframework.security.oauth2.server.authorization.OAuth2TokenClaimsContext)
TokenSettings(org.springframework.security.oauth2.server.authorization.config.TokenSettings)
ArrayList(java.util.ArrayList)
OAuth2Authorization(org.springframework.security.oauth2.server.authorization.OAuth2Authorization)
MvcResult(org.springframework.test.web.servlet.MvcResult)
OAuth2AuthorizationServerConfiguration(org.springframework.security.config.annotation.web.configuration.OAuth2AuthorizationServerConfiguration)
RegisteredClient(org.springframework.security.oauth2.server.authorization.client.RegisteredClient)
OAuth2AccessToken(org.springframework.security.oauth2.core.OAuth2AccessToken)
OAuth2TokenClaimsSet(org.springframework.security.oauth2.core.OAuth2TokenClaimsSet)
Test(org.junit.Test)
Example 3 with OAuth2TokenClaimsSet
use of org.springframework.security.oauth2.core.OAuth2TokenClaimsSet in project spring-authorization-server by spring-projects.
the class OAuth2TokenIntrospectionTests method requestWhenIntrospectValidAccessTokenThenActive.
@Test
public void requestWhenIntrospectValidAccessTokenThenActive() throws Exception {
this.spring.register(AuthorizationServerConfiguration.class).autowire();
RegisteredClient introspectRegisteredClient = TestRegisteredClients.registeredClient2().clientSecret("secret-2").build();
this.registeredClientRepository.save(introspectRegisteredClient);
RegisteredClient authorizedRegisteredClient = TestRegisteredClients.registeredClient().build();
Instant issuedAt = Instant.now();
Instant expiresAt = issuedAt.plus(Duration.ofHours(1));
OAuth2AccessToken accessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER, "access-token", issuedAt, expiresAt, new HashSet<>(Arrays.asList("scope1", "scope2")));
// @formatter:off
OAuth2TokenClaimsSet accessTokenClaims = OAuth2TokenClaimsSet.builder().issuer("https://provider.com").subject("subject").audience(Collections.singletonList(authorizedRegisteredClient.getClientId())).issuedAt(issuedAt).notBefore(issuedAt).expiresAt(expiresAt).id("id").build();
// @formatter:on
OAuth2Authorization authorization = TestOAuth2Authorizations.authorization(authorizedRegisteredClient, accessToken, accessTokenClaims.getClaims()).build();
this.registeredClientRepository.save(authorizedRegisteredClient);
this.authorizationService.save(authorization);
// @formatter:off
MvcResult mvcResult = this.mvc.perform(post(providerSettings.getTokenIntrospectionEndpoint()).params(getTokenIntrospectionRequestParameters(accessToken, OAuth2TokenType.ACCESS_TOKEN)).header(HttpHeaders.AUTHORIZATION, getAuthorizationHeader(introspectRegisteredClient))).andExpect(status().isOk()).andReturn();
// @formatter:on
OAuth2TokenIntrospection tokenIntrospectionResponse = readTokenIntrospectionResponse(mvcResult);
assertThat(tokenIntrospectionResponse.isActive()).isTrue();
assertThat(tokenIntrospectionResponse.getClientId()).isEqualTo(authorizedRegisteredClient.getClientId());
assertThat(tokenIntrospectionResponse.getUsername()).isNull();
assertThat(tokenIntrospectionResponse.getIssuedAt()).isBetween(accessTokenClaims.getIssuedAt().minusSeconds(1), accessTokenClaims.getIssuedAt().plusSeconds(1));
assertThat(tokenIntrospectionResponse.getExpiresAt()).isBetween(accessTokenClaims.getExpiresAt().minusSeconds(1), accessTokenClaims.getExpiresAt().plusSeconds(1));
assertThat(tokenIntrospectionResponse.getScopes()).containsExactlyInAnyOrderElementsOf(accessToken.getScopes());
assertThat(tokenIntrospectionResponse.getTokenType()).isEqualTo(accessToken.getTokenType().getValue());
assertThat(tokenIntrospectionResponse.getNotBefore()).isBetween(accessTokenClaims.getNotBefore().minusSeconds(1), accessTokenClaims.getNotBefore().plusSeconds(1));
assertThat(tokenIntrospectionResponse.getSubject()).isEqualTo(accessTokenClaims.getSubject());
assertThat(tokenIntrospectionResponse.getAudience()).containsExactlyInAnyOrderElementsOf(accessTokenClaims.getAudience());
assertThat(tokenIntrospectionResponse.getIssuer()).isEqualTo(accessTokenClaims.getIssuer());
assertThat(tokenIntrospectionResponse.getId()).isEqualTo(accessTokenClaims.getId());
}
Also used :
OAuth2TokenIntrospection(org.springframework.security.oauth2.core.OAuth2TokenIntrospection)
OAuth2AccessToken(org.springframework.security.oauth2.core.OAuth2AccessToken)
OAuth2TokenClaimsSet(org.springframework.security.oauth2.core.OAuth2TokenClaimsSet)
Instant(java.time.Instant)
OAuth2Authorization(org.springframework.security.oauth2.server.authorization.OAuth2Authorization)
MvcResult(org.springframework.test.web.servlet.MvcResult)
OAuth2AuthorizationServerConfiguration(org.springframework.security.config.annotation.web.configuration.OAuth2AuthorizationServerConfiguration)
RegisteredClient(org.springframework.security.oauth2.server.authorization.client.RegisteredClient)
Test(org.junit.Test)
Example 4 with OAuth2TokenClaimsSet
use of org.springframework.security.oauth2.core.OAuth2TokenClaimsSet in project spring-authorization-server by spring-projects.
the class OAuth2TokenIntrospectionAuthenticationProviderTests method authenticateWhenValidAccessTokenThenActive.
@Test
public void authenticateWhenValidAccessTokenThenActive() {
RegisteredClient authorizedClient = TestRegisteredClients.registeredClient().build();
Instant issuedAt = Instant.now();
Instant expiresAt = issuedAt.plus(Duration.ofHours(1));
OAuth2AccessToken accessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER, "access-token", issuedAt, expiresAt, new HashSet<>(Arrays.asList("scope1", "scope2")));
// @formatter:off
OAuth2TokenClaimsSet claimsSet = OAuth2TokenClaimsSet.builder().issuer("https://provider.com").subject("subject").audience(Collections.singletonList(authorizedClient.getClientId())).issuedAt(issuedAt).notBefore(issuedAt).expiresAt(expiresAt).id("id").build();
// @formatter:on
OAuth2Authorization authorization = TestOAuth2Authorizations.authorization(authorizedClient, accessToken, claimsSet.getClaims()).build();
when(this.authorizationService.findByToken(eq(accessToken.getTokenValue()), isNull())).thenReturn(authorization);
when(this.registeredClientRepository.findById(eq(authorizedClient.getId()))).thenReturn(authorizedClient);
RegisteredClient registeredClient = TestRegisteredClients.registeredClient2().build();
OAuth2ClientAuthenticationToken clientPrincipal = new OAuth2ClientAuthenticationToken(registeredClient, ClientAuthenticationMethod.CLIENT_SECRET_BASIC, registeredClient.getClientSecret());
OAuth2TokenIntrospectionAuthenticationToken authentication = new OAuth2TokenIntrospectionAuthenticationToken(accessToken.getTokenValue(), clientPrincipal, null, null);
OAuth2TokenIntrospectionAuthenticationToken authenticationResult = (OAuth2TokenIntrospectionAuthenticationToken) this.authenticationProvider.authenticate(authentication);
verify(this.authorizationService).findByToken(eq(authentication.getToken()), isNull());
verify(this.registeredClientRepository).findById(eq(authorizedClient.getId()));
assertThat(authenticationResult.isAuthenticated()).isTrue();
OAuth2TokenIntrospection tokenClaims = authenticationResult.getTokenClaims();
assertThat(tokenClaims.isActive()).isTrue();
assertThat(tokenClaims.getClientId()).isEqualTo(authorizedClient.getClientId());
assertThat(tokenClaims.getIssuedAt()).isEqualTo(accessToken.getIssuedAt());
assertThat(tokenClaims.getExpiresAt()).isEqualTo(accessToken.getExpiresAt());
assertThat(tokenClaims.getScopes()).containsExactlyInAnyOrderElementsOf(accessToken.getScopes());
assertThat(tokenClaims.getTokenType()).isEqualTo(accessToken.getTokenType().getValue());
assertThat(tokenClaims.getNotBefore()).isEqualTo(claimsSet.getNotBefore());
assertThat(tokenClaims.getSubject()).isEqualTo(claimsSet.getSubject());
assertThat(tokenClaims.getAudience()).containsExactlyInAnyOrderElementsOf(claimsSet.getAudience());
assertThat(tokenClaims.getIssuer()).isEqualTo(claimsSet.getIssuer());
assertThat(tokenClaims.getId()).isEqualTo(claimsSet.getId());
}
Also used :
OAuth2TokenIntrospection(org.springframework.security.oauth2.core.OAuth2TokenIntrospection)
OAuth2AccessToken(org.springframework.security.oauth2.core.OAuth2AccessToken)
OAuth2TokenClaimsSet(org.springframework.security.oauth2.core.OAuth2TokenClaimsSet)
Instant(java.time.Instant)
OAuth2Authorization(org.springframework.security.oauth2.server.authorization.OAuth2Authorization)
RegisteredClient(org.springframework.security.oauth2.server.authorization.client.RegisteredClient)
Test(org.junit.Test)
Aggregations
OAuth2AccessToken (org.springframework.security.oauth2.core.OAuth2AccessToken)4
OAuth2TokenClaimsSet (org.springframework.security.oauth2.core.OAuth2TokenClaimsSet)4
RegisteredClient (org.springframework.security.oauth2.server.authorization.client.RegisteredClient)4
Instant (java.time.Instant)3
Test (org.junit.Test)3
OAuth2TokenIntrospection (org.springframework.security.oauth2.core.OAuth2TokenIntrospection)3
OAuth2Authorization (org.springframework.security.oauth2.server.authorization.OAuth2Authorization)3
OAuth2AuthorizationServerConfiguration (org.springframework.security.config.annotation.web.configuration.OAuth2AuthorizationServerConfiguration)2
MvcResult (org.springframework.test.web.servlet.MvcResult)2
ArrayList (java.util.ArrayList)1
Nullable (org.springframework.lang.Nullable)1
OAuth2AccessTokenResponse (org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse)1
OAuth2TokenClaimsContext (org.springframework.security.oauth2.server.authorization.OAuth2TokenClaimsContext)1
TokenSettings (org.springframework.security.oauth2.server.authorization.config.TokenSettings)1
