Search in sources :

Example 6 with OAuth2AuthorizationRequest

use of org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest in project spring-security by spring-projects.

the class OAuth2AuthorizationCodeReactiveAuthenticationManager method authenticate.

@Override
public Mono<Authentication> authenticate(Authentication authentication) {
    return Mono.defer(() -> {
        OAuth2AuthorizationCodeAuthenticationToken token = (OAuth2AuthorizationCodeAuthenticationToken) authentication;
        OAuth2AuthorizationResponse authorizationResponse = token.getAuthorizationExchange().getAuthorizationResponse();
        if (authorizationResponse.statusError()) {
            return Mono.error(new OAuth2AuthorizationException(authorizationResponse.getError()));
        }
        OAuth2AuthorizationRequest authorizationRequest = token.getAuthorizationExchange().getAuthorizationRequest();
        if (!authorizationResponse.getState().equals(authorizationRequest.getState())) {
            OAuth2Error oauth2Error = new OAuth2Error(INVALID_STATE_PARAMETER_ERROR_CODE);
            return Mono.error(new OAuth2AuthorizationException(oauth2Error));
        }
        OAuth2AuthorizationCodeGrantRequest authzRequest = new OAuth2AuthorizationCodeGrantRequest(token.getClientRegistration(), token.getAuthorizationExchange());
        return this.accessTokenResponseClient.getTokenResponse(authzRequest).map(onSuccess(token));
    });
}
Also used : OAuth2AuthorizationException(org.springframework.security.oauth2.core.OAuth2AuthorizationException) OAuth2AuthorizationCodeGrantRequest(org.springframework.security.oauth2.client.endpoint.OAuth2AuthorizationCodeGrantRequest) OAuth2Error(org.springframework.security.oauth2.core.OAuth2Error) OAuth2AuthorizationResponse(org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationResponse) OAuth2AuthorizationRequest(org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest)

Example 7 with OAuth2AuthorizationRequest

use of org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest in project spring-security by spring-projects.

the class OAuth2LoginAuthenticationFilterTests method doFilterWhenAuthorizationResponseHasNonDefaultPortThenRedirectUriMatchingIncludesPort.

// gh-5890
@Test
public void doFilterWhenAuthorizationResponseHasNonDefaultPortThenRedirectUriMatchingIncludesPort() throws Exception {
    String requestUri = "/login/oauth2/code/" + this.registration2.getRegistrationId();
    String state = "state";
    MockHttpServletRequest request = new MockHttpServletRequest("GET", requestUri);
    request.setScheme("https");
    request.setServerName("example.com");
    request.setServerPort(9090);
    request.setServletPath(requestUri);
    request.addParameter(OAuth2ParameterNames.CODE, "code");
    request.addParameter(OAuth2ParameterNames.STATE, "state");
    MockHttpServletResponse response = new MockHttpServletResponse();
    FilterChain filterChain = mock(FilterChain.class);
    this.setUpAuthorizationRequest(request, response, this.registration2, state);
    this.setUpAuthenticationResult(this.registration2);
    this.filter.doFilter(request, response, filterChain);
    ArgumentCaptor<Authentication> authenticationArgCaptor = ArgumentCaptor.forClass(Authentication.class);
    verify(this.authenticationManager).authenticate(authenticationArgCaptor.capture());
    OAuth2LoginAuthenticationToken authentication = (OAuth2LoginAuthenticationToken) authenticationArgCaptor.getValue();
    OAuth2AuthorizationRequest authorizationRequest = authentication.getAuthorizationExchange().getAuthorizationRequest();
    OAuth2AuthorizationResponse authorizationResponse = authentication.getAuthorizationExchange().getAuthorizationResponse();
    String expectedRedirectUri = "https://example.com:9090/login/oauth2/code/registration-id-2";
    assertThat(authorizationRequest.getRedirectUri()).isEqualTo(expectedRedirectUri);
    assertThat(authorizationResponse.getRedirectUri()).isEqualTo(expectedRedirectUri);
}
Also used : MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) Authentication(org.springframework.security.core.Authentication) FilterChain(jakarta.servlet.FilterChain) OAuth2AuthorizationResponse(org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationResponse) OAuth2AuthorizationRequest(org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest) MockHttpServletResponse(org.springframework.mock.web.MockHttpServletResponse) OAuth2LoginAuthenticationToken(org.springframework.security.oauth2.client.authentication.OAuth2LoginAuthenticationToken) Test(org.junit.jupiter.api.Test)

Example 8 with OAuth2AuthorizationRequest

use of org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest in project spring-security by spring-projects.

the class WebSessionOAuth2ServerAuthorizationRequestRepositoryAllowMultipleAuthorizationRequestsTests method loadAuthorizationRequestWhenSavedWithAllowMultipleAuthorizationRequestsThenReturnOldAuthorizationRequest.

// gh-5145
@Test
public void loadAuthorizationRequestWhenSavedWithAllowMultipleAuthorizationRequestsThenReturnOldAuthorizationRequest() {
    // save 2 requests with legacy (allowMultipleAuthorizationRequests=true) and load
    // with new
    WebSessionOAuth2ServerAuthorizationRequestRepository legacy = new WebSessionOAuth2ServerAuthorizationRequestRepository();
    legacy.setAllowMultipleAuthorizationRequests(true);
    // @formatter:off
    String state1 = "state-1122";
    OAuth2AuthorizationRequest authorizationRequest1 = OAuth2AuthorizationRequest.authorizationCode().authorizationUri("https://example.com/oauth2/authorize").clientId("client-id").redirectUri("http://localhost/client-1").state(state1).build();
    StepVerifier.create(legacy.saveAuthorizationRequest(authorizationRequest1, this.exchange)).verifyComplete();
    String state2 = "state-3344";
    OAuth2AuthorizationRequest authorizationRequest2 = OAuth2AuthorizationRequest.authorizationCode().authorizationUri("https://example.com/oauth2/authorize").clientId("client-id").redirectUri("http://localhost/client-1").state(state2).build();
    StepVerifier.create(legacy.saveAuthorizationRequest(authorizationRequest2, this.exchange)).verifyComplete();
    ServerHttpRequest newRequest = MockServerHttpRequest.get("/").queryParam(OAuth2ParameterNames.STATE, state1).build();
    ServerWebExchange newExchange = this.exchange.mutate().request(newRequest).build();
    StepVerifier.create(this.repository.loadAuthorizationRequest(newExchange)).expectNext(authorizationRequest1).verifyComplete();
// @formatter:on
}
Also used : DefaultServerWebExchange(org.springframework.web.server.adapter.DefaultServerWebExchange) ServerWebExchange(org.springframework.web.server.ServerWebExchange) MockServerHttpRequest(org.springframework.mock.http.server.reactive.MockServerHttpRequest) ServerHttpRequest(org.springframework.http.server.reactive.ServerHttpRequest) OAuth2AuthorizationRequest(org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest) Test(org.junit.jupiter.api.Test)

Example 9 with OAuth2AuthorizationRequest

use of org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest in project spring-security by spring-projects.

the class WebSessionOAuth2ServerAuthorizationRequestRepositoryAllowMultipleAuthorizationRequestsTests method saveAuthorizationRequestWhenSavedWithAllowMultipleAuthorizationRequestsThenLoadNewAuthorizationRequest.

// gh-5145
@Test
public void saveAuthorizationRequestWhenSavedWithAllowMultipleAuthorizationRequestsThenLoadNewAuthorizationRequest() {
    // save 2 requests with legacy (allowMultipleAuthorizationRequests=true), save
    // with new, and load with new
    WebSessionOAuth2ServerAuthorizationRequestRepository legacy = new WebSessionOAuth2ServerAuthorizationRequestRepository();
    legacy.setAllowMultipleAuthorizationRequests(true);
    // @formatter:off
    String state1 = "state-1122";
    OAuth2AuthorizationRequest authorizationRequest1 = OAuth2AuthorizationRequest.authorizationCode().authorizationUri("https://example.com/oauth2/authorize").clientId("client-id").redirectUri("http://localhost/client-1").state(state1).build();
    StepVerifier.create(legacy.saveAuthorizationRequest(authorizationRequest1, this.exchange)).verifyComplete();
    String state2 = "state-3344";
    OAuth2AuthorizationRequest authorizationRequest2 = OAuth2AuthorizationRequest.authorizationCode().authorizationUri("https://example.com/oauth2/authorize").clientId("client-id").redirectUri("http://localhost/client-1").state(state2).build();
    StepVerifier.create(legacy.saveAuthorizationRequest(authorizationRequest2, this.exchange)).verifyComplete();
    String state3 = "state-5566";
    OAuth2AuthorizationRequest authorizationRequest3 = OAuth2AuthorizationRequest.authorizationCode().authorizationUri("https://example.com/oauth2/authorize").clientId("client-id").redirectUri("http://localhost/client-1").state(state3).build();
    ServerHttpRequest newRequest = MockServerHttpRequest.get("/").queryParam(OAuth2ParameterNames.STATE, state3).build();
    ServerWebExchange newExchange = this.exchange.mutate().request(newRequest).build();
    Mono<OAuth2AuthorizationRequest> saveAndLoad = this.repository.saveAuthorizationRequest(authorizationRequest3, this.exchange).then(this.repository.loadAuthorizationRequest(newExchange));
    StepVerifier.create(saveAndLoad).expectNext(authorizationRequest3).verifyComplete();
// @formatter:on
}
Also used : DefaultServerWebExchange(org.springframework.web.server.adapter.DefaultServerWebExchange) ServerWebExchange(org.springframework.web.server.ServerWebExchange) MockServerHttpRequest(org.springframework.mock.http.server.reactive.MockServerHttpRequest) ServerHttpRequest(org.springframework.http.server.reactive.ServerHttpRequest) OAuth2AuthorizationRequest(org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest) Test(org.junit.jupiter.api.Test)

Example 10 with OAuth2AuthorizationRequest

use of org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest in project spring-security by spring-projects.

the class WebSessionOAuth2ServerAuthorizationRequestRepositoryTests method removeAuthorizationRequestWhenStateMissingThenNoErrors.

// gh-5599
@Test
public void removeAuthorizationRequestWhenStateMissingThenNoErrors() {
    // @formatter:off
    MockServerHttpRequest otherState = MockServerHttpRequest.get("/").queryParam(OAuth2ParameterNames.STATE, "other").build();
    ServerWebExchange otherStateExchange = this.exchange.mutate().request(otherState).build();
    Mono<OAuth2AuthorizationRequest> saveAndRemove = this.repository.saveAuthorizationRequest(this.authorizationRequest, this.exchange).then(this.repository.removeAuthorizationRequest(otherStateExchange));
    StepVerifier.create(saveAndRemove).verifyComplete();
// @formatter:on
}
Also used : MockServerWebExchange(org.springframework.mock.web.server.MockServerWebExchange) ServerWebExchange(org.springframework.web.server.ServerWebExchange) MockServerHttpRequest(org.springframework.mock.http.server.reactive.MockServerHttpRequest) OAuth2AuthorizationRequest(org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest) Test(org.junit.jupiter.api.Test)

Aggregations

OAuth2AuthorizationRequest (org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest)137 Test (org.junit.jupiter.api.Test)112 ClientRegistration (org.springframework.security.oauth2.client.registration.ClientRegistration)52 MockHttpServletRequest (org.springframework.mock.web.MockHttpServletRequest)49 HashMap (java.util.HashMap)26 MockHttpServletResponse (org.springframework.mock.web.MockHttpServletResponse)25 OAuth2AuthorizationResponse (org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationResponse)24 OAuth2AuthorizationExchange (org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationExchange)22 Authentication (org.springframework.security.core.Authentication)19 MockServerHttpRequest (org.springframework.mock.http.server.reactive.MockServerHttpRequest)18 OAuth2AccessTokenResponse (org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse)17 ServerWebExchange (org.springframework.web.server.ServerWebExchange)13 OAuth2ParameterNames (org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames)12 MockServerWebExchange (org.springframework.mock.web.server.MockServerWebExchange)11 OAuth2Error (org.springframework.security.oauth2.core.OAuth2Error)11 BeforeEach (org.junit.jupiter.api.BeforeEach)10 HttpRequestResponseHolder (org.springframework.security.web.context.HttpRequestResponseHolder)10 LinkedMultiValueMap (org.springframework.util.LinkedMultiValueMap)10 Map (java.util.Map)9 Mono (reactor.core.publisher.Mono)9