Examples with OidcIdToken org.springframework.security.oauth2.core.oidc.OidcIdToken used on opensource projects

Example 1 with OidcIdToken

use of org.springframework.security.oauth2.core.oidc.OidcIdToken in project spring-security by spring-projects.

the class OidcAuthorizationCodeAuthenticationProvider method authenticate.

@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
    OAuth2LoginAuthenticationToken authorizationCodeAuthentication = (OAuth2LoginAuthenticationToken) authentication;
    // REQUIRED. OpenID Connect requests MUST contain the "openid" scope value.
    if (!authorizationCodeAuthentication.getAuthorizationExchange().getAuthorizationRequest().getScopes().contains(OidcScopes.OPENID)) {
        // and let OAuth2LoginAuthenticationProvider handle it instead
        return null;
    }
    OAuth2AuthorizationRequest authorizationRequest = authorizationCodeAuthentication.getAuthorizationExchange().getAuthorizationRequest();
    OAuth2AuthorizationResponse authorizationResponse = authorizationCodeAuthentication.getAuthorizationExchange().getAuthorizationResponse();
    if (authorizationResponse.statusError()) {
        throw new OAuth2AuthenticationException(authorizationResponse.getError(), authorizationResponse.getError().toString());
    }
    if (!authorizationResponse.getState().equals(authorizationRequest.getState())) {
        OAuth2Error oauth2Error = new OAuth2Error(INVALID_STATE_PARAMETER_ERROR_CODE);
        throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString());
    }
    OAuth2AccessTokenResponse accessTokenResponse = getResponse(authorizationCodeAuthentication);
    ClientRegistration clientRegistration = authorizationCodeAuthentication.getClientRegistration();
    Map<String, Object> additionalParameters = accessTokenResponse.getAdditionalParameters();
    if (!additionalParameters.containsKey(OidcParameterNames.ID_TOKEN)) {
        OAuth2Error invalidIdTokenError = new OAuth2Error(INVALID_ID_TOKEN_ERROR_CODE, "Missing (required) ID Token in Token Response for Client Registration: " + clientRegistration.getRegistrationId(), null);
        throw new OAuth2AuthenticationException(invalidIdTokenError, invalidIdTokenError.toString());
    }
    OidcIdToken idToken = createOidcToken(clientRegistration, accessTokenResponse);
    validateNonce(authorizationRequest, idToken);
    OidcUser oidcUser = this.userService.loadUser(new OidcUserRequest(clientRegistration, accessTokenResponse.getAccessToken(), idToken, additionalParameters));
    Collection<? extends GrantedAuthority> mappedAuthorities = this.authoritiesMapper.mapAuthorities(oidcUser.getAuthorities());
    OAuth2LoginAuthenticationToken authenticationResult = new OAuth2LoginAuthenticationToken(authorizationCodeAuthentication.getClientRegistration(), authorizationCodeAuthentication.getAuthorizationExchange(), oidcUser, mappedAuthorities, accessTokenResponse.getAccessToken(), accessTokenResponse.getRefreshToken());
    authenticationResult.setDetails(authorizationCodeAuthentication.getDetails());
    return authenticationResult;
}

Example 2 with OidcIdToken

use of org.springframework.security.oauth2.core.oidc.OidcIdToken in project spring-security by spring-projects.

the class OidcAuthorizationCodeReactiveAuthenticationManager method validateNonce.

private static Mono<OidcIdToken> validateNonce(OAuth2AuthorizationCodeAuthenticationToken authorizationCodeAuthentication, OidcIdToken idToken) {
    String requestNonce = authorizationCodeAuthentication.getAuthorizationExchange().getAuthorizationRequest().getAttribute(OidcParameterNames.NONCE);
    if (requestNonce != null) {
        String nonceHash = getNonceHash(requestNonce);
        String nonceHashClaim = idToken.getNonce();
        if (nonceHashClaim == null || !nonceHashClaim.equals(nonceHash)) {
            OAuth2Error oauth2Error = new OAuth2Error(INVALID_NONCE_ERROR_CODE);
            throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString());
        }
    }
    return Mono.just(idToken);
}

Example 3 with OidcIdToken

use of org.springframework.security.oauth2.core.oidc.OidcIdToken in project spring-security by spring-projects.

the class TestOidcUsers method create.

public static DefaultOidcUser create() {
    OidcIdToken idToken = idToken();
    OidcUserInfo userInfo = userInfo();
    return new DefaultOidcUser(authorities(idToken, userInfo), idToken, userInfo);
}

Example 4 with OidcIdToken

use of org.springframework.security.oauth2.core.oidc.OidcIdToken in project spring-security by spring-projects.

the class OAuth2AuthenticationTokenMixinTests method deserializeWhenRequiredAttributesOnlyThenDeserializes.

@Test
public void deserializeWhenRequiredAttributesOnlyThenDeserializes() throws Exception {
    DefaultOidcUser expectedPrincipal = TestOidcUsers.create();
    expectedPrincipal = new DefaultOidcUser(expectedPrincipal.getAuthorities(), expectedPrincipal.getIdToken());
    OAuth2AuthenticationToken expectedAuthentication = new OAuth2AuthenticationToken(expectedPrincipal, Collections.emptyList(), "registration-id");
    String json = asJson(expectedAuthentication);
    OAuth2AuthenticationToken authentication = this.mapper.readValue(json, OAuth2AuthenticationToken.class);
    assertThat(authentication.getAuthorities()).isEmpty();
    assertThat(authentication.getDetails()).isEqualTo(expectedAuthentication.getDetails());
    assertThat(authentication.isAuthenticated()).isEqualTo(expectedAuthentication.isAuthenticated());
    assertThat(authentication.getAuthorizedClientRegistrationId()).isEqualTo(expectedAuthentication.getAuthorizedClientRegistrationId());
    DefaultOidcUser principal = (DefaultOidcUser) authentication.getPrincipal();
    assertThat(principal.getAuthorities().containsAll(expectedPrincipal.getAuthorities())).isTrue();
    assertThat(principal.getAttributes()).containsExactlyEntriesOf(expectedPrincipal.getAttributes());
    assertThat(principal.getName()).isEqualTo(expectedPrincipal.getName());
    OidcIdToken expectedIdToken = expectedPrincipal.getIdToken();
    OidcIdToken idToken = principal.getIdToken();
    assertThat(idToken.getTokenValue()).isEqualTo(expectedIdToken.getTokenValue());
    assertThat(idToken.getIssuedAt()).isEqualTo(expectedIdToken.getIssuedAt());
    assertThat(idToken.getExpiresAt()).isEqualTo(expectedIdToken.getExpiresAt());
    assertThat(idToken.getClaims()).containsExactlyEntriesOf(expectedIdToken.getClaims());
    assertThat(principal.getUserInfo()).isNull();
}

Example 5 with OidcIdToken

use of org.springframework.security.oauth2.core.oidc.OidcIdToken in project spring-security by spring-projects.

the class OidcUserServiceTests method setup.

@BeforeEach
public void setup() throws Exception {
    this.server = new MockWebServer();
    this.server.start();
    this.clientRegistrationBuilder = TestClientRegistrations.clientRegistration().userInfoUri(null).userInfoAuthenticationMethod(AuthenticationMethod.HEADER).userNameAttributeName(StandardClaimNames.SUB);
    this.accessToken = TestOAuth2AccessTokens.scopes(OidcScopes.OPENID, OidcScopes.PROFILE);
    Map<String, Object> idTokenClaims = new HashMap<>();
    idTokenClaims.put(IdTokenClaimNames.ISS, "https://provider.com");
    idTokenClaims.put(IdTokenClaimNames.SUB, "subject1");
    this.idToken = new OidcIdToken("access-token", Instant.MIN, Instant.MAX, idTokenClaims);
    this.userService.setOauth2UserService(new DefaultOAuth2UserService());
}