Search in sources :

Example 1 with OAuth2AccessTokenAuthenticationToken

use of org.springframework.security.oauth2.server.authorization.authentication.OAuth2AccessTokenAuthenticationToken in project spring-authorization-server by spring-projects.

the class OAuth2AuthorizationCodeAuthenticationProviderTests method authenticateWhenValidCodeAndAuthenticationRequestThenReturnIdToken.

@Test
public void authenticateWhenValidCodeAndAuthenticationRequestThenReturnIdToken() {
    RegisteredClient registeredClient = TestRegisteredClients.registeredClient().scope(OidcScopes.OPENID).build();
    OAuth2Authorization authorization = TestOAuth2Authorizations.authorization(registeredClient).build();
    when(this.authorizationService.findByToken(eq(AUTHORIZATION_CODE), eq(AUTHORIZATION_CODE_TOKEN_TYPE))).thenReturn(authorization);
    OAuth2ClientAuthenticationToken clientPrincipal = new OAuth2ClientAuthenticationToken(registeredClient, ClientAuthenticationMethod.CLIENT_SECRET_BASIC, registeredClient.getClientSecret());
    OAuth2AuthorizationRequest authorizationRequest = authorization.getAttribute(OAuth2AuthorizationRequest.class.getName());
    OAuth2AuthorizationCodeAuthenticationToken authentication = new OAuth2AuthorizationCodeAuthenticationToken(AUTHORIZATION_CODE, clientPrincipal, authorizationRequest.getRedirectUri(), null);
    when(this.jwtEncoder.encode(any(), any())).thenReturn(createJwt());
    OAuth2AccessTokenAuthenticationToken accessTokenAuthentication = (OAuth2AccessTokenAuthenticationToken) this.authenticationProvider.authenticate(authentication);
    ArgumentCaptor<JwtEncodingContext> jwtEncodingContextCaptor = ArgumentCaptor.forClass(JwtEncodingContext.class);
    verify(this.jwtCustomizer, times(2)).customize(jwtEncodingContextCaptor.capture());
    // Access Token context
    JwtEncodingContext accessTokenContext = jwtEncodingContextCaptor.getAllValues().get(0);
    assertThat(accessTokenContext.getRegisteredClient()).isEqualTo(registeredClient);
    assertThat(accessTokenContext.<Authentication>getPrincipal()).isEqualTo(authorization.getAttribute(Principal.class.getName()));
    assertThat(accessTokenContext.getAuthorization()).isEqualTo(authorization);
    assertThat(accessTokenContext.getAuthorizedScopes()).isEqualTo(authorization.getAttribute(OAuth2Authorization.AUTHORIZED_SCOPE_ATTRIBUTE_NAME));
    assertThat(accessTokenContext.getTokenType()).isEqualTo(OAuth2TokenType.ACCESS_TOKEN);
    assertThat(accessTokenContext.getAuthorizationGrantType()).isEqualTo(AuthorizationGrantType.AUTHORIZATION_CODE);
    assertThat(accessTokenContext.<OAuth2AuthorizationGrantAuthenticationToken>getAuthorizationGrant()).isEqualTo(authentication);
    assertThat(accessTokenContext.getHeaders()).isNotNull();
    assertThat(accessTokenContext.getClaims()).isNotNull();
    Map<String, Object> claims = new HashMap<>();
    accessTokenContext.getClaims().claims(claims::putAll);
    assertThat(claims).flatExtracting(OAuth2ParameterNames.SCOPE).containsExactlyInAnyOrder(OidcScopes.OPENID, "scope1");
    // ID Token context
    JwtEncodingContext idTokenContext = jwtEncodingContextCaptor.getAllValues().get(1);
    assertThat(idTokenContext.getRegisteredClient()).isEqualTo(registeredClient);
    assertThat(idTokenContext.<Authentication>getPrincipal()).isEqualTo(authorization.getAttribute(Principal.class.getName()));
    assertThat(idTokenContext.getAuthorization()).isEqualTo(authorization);
    assertThat(idTokenContext.getAuthorizedScopes()).isEqualTo(authorization.getAttribute(OAuth2Authorization.AUTHORIZED_SCOPE_ATTRIBUTE_NAME));
    assertThat(idTokenContext.getTokenType().getValue()).isEqualTo(OidcParameterNames.ID_TOKEN);
    assertThat(idTokenContext.getAuthorizationGrantType()).isEqualTo(AuthorizationGrantType.AUTHORIZATION_CODE);
    assertThat(idTokenContext.<OAuth2AuthorizationGrantAuthenticationToken>getAuthorizationGrant()).isEqualTo(authentication);
    assertThat(idTokenContext.getHeaders()).isNotNull();
    assertThat(idTokenContext.getClaims()).isNotNull();
    // Access token and ID Token
    verify(this.jwtEncoder, times(2)).encode(any(), any());
    ArgumentCaptor<OAuth2Authorization> authorizationCaptor = ArgumentCaptor.forClass(OAuth2Authorization.class);
    verify(this.authorizationService).save(authorizationCaptor.capture());
    OAuth2Authorization updatedAuthorization = authorizationCaptor.getValue();
    assertThat(accessTokenAuthentication.getRegisteredClient().getId()).isEqualTo(updatedAuthorization.getRegisteredClientId());
    assertThat(accessTokenAuthentication.getPrincipal()).isEqualTo(clientPrincipal);
    assertThat(accessTokenAuthentication.getAccessToken()).isEqualTo(updatedAuthorization.getAccessToken().getToken());
    Set<String> accessTokenScopes = new HashSet<>(updatedAuthorization.getAttribute(OAuth2Authorization.AUTHORIZED_SCOPE_ATTRIBUTE_NAME));
    assertThat(accessTokenAuthentication.getAccessToken().getScopes()).isEqualTo(accessTokenScopes);
    assertThat(accessTokenAuthentication.getRefreshToken()).isNotNull();
    assertThat(accessTokenAuthentication.getRefreshToken()).isEqualTo(updatedAuthorization.getRefreshToken().getToken());
    OAuth2Authorization.Token<OAuth2AuthorizationCode> authorizationCode = updatedAuthorization.getToken(OAuth2AuthorizationCode.class);
    assertThat(authorizationCode.isInvalidated()).isTrue();
    OAuth2Authorization.Token<OidcIdToken> idToken = updatedAuthorization.getToken(OidcIdToken.class);
    assertThat(idToken).isNotNull();
    assertThat(accessTokenAuthentication.getAdditionalParameters()).containsExactly(entry(OidcParameterNames.ID_TOKEN, idToken.getToken().getTokenValue()));
}
Also used : OidcIdToken(org.springframework.security.oauth2.core.oidc.OidcIdToken) HashMap(java.util.HashMap) OAuth2Authorization(org.springframework.security.oauth2.server.authorization.OAuth2Authorization) RegisteredClient(org.springframework.security.oauth2.server.authorization.client.RegisteredClient) Authentication(org.springframework.security.core.Authentication) OAuth2AuthorizationCode(org.springframework.security.oauth2.core.OAuth2AuthorizationCode) JwtEncodingContext(org.springframework.security.oauth2.server.authorization.JwtEncodingContext) OAuth2AuthorizationRequest(org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest) HashSet(java.util.HashSet) Test(org.junit.Test)

Example 2 with OAuth2AccessTokenAuthenticationToken

use of org.springframework.security.oauth2.server.authorization.authentication.OAuth2AccessTokenAuthenticationToken in project spring-authorization-server by spring-projects.

the class OAuth2RefreshTokenAuthenticationProviderTests method authenticateWhenValidRefreshTokenThenReturnAccessToken.

@Test
public void authenticateWhenValidRefreshTokenThenReturnAccessToken() {
    RegisteredClient registeredClient = TestRegisteredClients.registeredClient().build();
    OAuth2Authorization authorization = TestOAuth2Authorizations.authorization(registeredClient).build();
    when(this.authorizationService.findByToken(eq(authorization.getRefreshToken().getToken().getTokenValue()), eq(OAuth2TokenType.REFRESH_TOKEN))).thenReturn(authorization);
    OAuth2ClientAuthenticationToken clientPrincipal = new OAuth2ClientAuthenticationToken(registeredClient, ClientAuthenticationMethod.CLIENT_SECRET_BASIC, registeredClient.getClientSecret());
    OAuth2RefreshTokenAuthenticationToken authentication = new OAuth2RefreshTokenAuthenticationToken(authorization.getRefreshToken().getToken().getTokenValue(), clientPrincipal, null, null);
    OAuth2AccessTokenAuthenticationToken accessTokenAuthentication = (OAuth2AccessTokenAuthenticationToken) this.authenticationProvider.authenticate(authentication);
    ArgumentCaptor<JwtEncodingContext> jwtEncodingContextCaptor = ArgumentCaptor.forClass(JwtEncodingContext.class);
    verify(this.jwtCustomizer).customize(jwtEncodingContextCaptor.capture());
    JwtEncodingContext jwtEncodingContext = jwtEncodingContextCaptor.getValue();
    assertThat(jwtEncodingContext.getRegisteredClient()).isEqualTo(registeredClient);
    assertThat(jwtEncodingContext.<Authentication>getPrincipal()).isEqualTo(authorization.getAttribute(Principal.class.getName()));
    assertThat(jwtEncodingContext.getAuthorization()).isEqualTo(authorization);
    assertThat(jwtEncodingContext.getAuthorizedScopes()).isEqualTo(authorization.getAttribute(OAuth2Authorization.AUTHORIZED_SCOPE_ATTRIBUTE_NAME));
    assertThat(jwtEncodingContext.getTokenType()).isEqualTo(OAuth2TokenType.ACCESS_TOKEN);
    assertThat(jwtEncodingContext.getAuthorizationGrantType()).isEqualTo(AuthorizationGrantType.REFRESH_TOKEN);
    assertThat(jwtEncodingContext.<OAuth2AuthorizationGrantAuthenticationToken>getAuthorizationGrant()).isEqualTo(authentication);
    assertThat(jwtEncodingContext.getHeaders()).isNotNull();
    assertThat(jwtEncodingContext.getClaims()).isNotNull();
    ArgumentCaptor<OAuth2Authorization> authorizationCaptor = ArgumentCaptor.forClass(OAuth2Authorization.class);
    verify(this.authorizationService).save(authorizationCaptor.capture());
    OAuth2Authorization updatedAuthorization = authorizationCaptor.getValue();
    assertThat(accessTokenAuthentication.getRegisteredClient().getId()).isEqualTo(updatedAuthorization.getRegisteredClientId());
    assertThat(accessTokenAuthentication.getPrincipal()).isEqualTo(clientPrincipal);
    assertThat(accessTokenAuthentication.getAccessToken()).isEqualTo(updatedAuthorization.getAccessToken().getToken());
    assertThat(updatedAuthorization.getAccessToken()).isNotEqualTo(authorization.getAccessToken());
    assertThat(accessTokenAuthentication.getRefreshToken()).isEqualTo(updatedAuthorization.getRefreshToken().getToken());
    // By default, refresh token is reused
    assertThat(updatedAuthorization.getRefreshToken()).isEqualTo(authorization.getRefreshToken());
}
Also used : Authentication(org.springframework.security.core.Authentication) JwtEncodingContext(org.springframework.security.oauth2.server.authorization.JwtEncodingContext) OAuth2Authorization(org.springframework.security.oauth2.server.authorization.OAuth2Authorization) RegisteredClient(org.springframework.security.oauth2.server.authorization.client.RegisteredClient) Test(org.junit.Test)

Example 3 with OAuth2AccessTokenAuthenticationToken

use of org.springframework.security.oauth2.server.authorization.authentication.OAuth2AccessTokenAuthenticationToken in project spring-authorization-server by spring-projects.

the class OAuth2AuthorizationCodeAuthenticationProviderTests method authenticateWhenRefreshTokenGrantNotConfiguredThenRefreshTokenNotIssued.

@Test
public void authenticateWhenRefreshTokenGrantNotConfiguredThenRefreshTokenNotIssued() {
    RegisteredClient registeredClient = TestRegisteredClients.registeredClient().authorizationGrantTypes(grantTypes -> grantTypes.remove(AuthorizationGrantType.REFRESH_TOKEN)).build();
    OAuth2Authorization authorization = TestOAuth2Authorizations.authorization(registeredClient).build();
    when(this.authorizationService.findByToken(eq(AUTHORIZATION_CODE), eq(AUTHORIZATION_CODE_TOKEN_TYPE))).thenReturn(authorization);
    OAuth2ClientAuthenticationToken clientPrincipal = new OAuth2ClientAuthenticationToken(registeredClient, ClientAuthenticationMethod.CLIENT_SECRET_BASIC, registeredClient.getClientSecret());
    OAuth2AuthorizationRequest authorizationRequest = authorization.getAttribute(OAuth2AuthorizationRequest.class.getName());
    OAuth2AuthorizationCodeAuthenticationToken authentication = new OAuth2AuthorizationCodeAuthenticationToken(AUTHORIZATION_CODE, clientPrincipal, authorizationRequest.getRedirectUri(), null);
    when(this.jwtEncoder.encode(any(), any())).thenReturn(createJwt());
    OAuth2AccessTokenAuthenticationToken accessTokenAuthentication = (OAuth2AccessTokenAuthenticationToken) this.authenticationProvider.authenticate(authentication);
    assertThat(accessTokenAuthentication.getRefreshToken()).isNull();
}
Also used : TestingAuthenticationToken(org.springframework.security.authentication.TestingAuthenticationToken) OAuth2TokenGenerator(org.springframework.security.oauth2.server.authorization.OAuth2TokenGenerator) JwtEncodingContext(org.springframework.security.oauth2.server.authorization.JwtEncodingContext) ArgumentMatchers.eq(org.mockito.ArgumentMatchers.eq) Assertions.assertThat(org.assertj.core.api.Assertions.assertThat) TestOAuth2Authorizations(org.springframework.security.oauth2.server.authorization.TestOAuth2Authorizations) Duration(java.time.Duration) Map(java.util.Map) After(org.junit.After) Mockito.doAnswer(org.mockito.Mockito.doAnswer) OidcScopes(org.springframework.security.oauth2.core.oidc.OidcScopes) Jwt(org.springframework.security.oauth2.jwt.Jwt) ProviderSettings(org.springframework.security.oauth2.server.authorization.config.ProviderSettings) OAuth2AuthenticationException(org.springframework.security.oauth2.core.OAuth2AuthenticationException) Set(java.util.Set) JoseHeaderNames(org.springframework.security.oauth2.jwt.JoseHeaderNames) JwtGenerator(org.springframework.security.oauth2.server.authorization.JwtGenerator) Instant(java.time.Instant) ProviderContextHolder(org.springframework.security.oauth2.server.authorization.context.ProviderContextHolder) Principal(java.security.Principal) OAuth2TokenContext(org.springframework.security.oauth2.server.authorization.OAuth2TokenContext) ProviderContext(org.springframework.security.oauth2.server.authorization.context.ProviderContext) OAuth2RefreshTokenGenerator(org.springframework.security.oauth2.server.authorization.OAuth2RefreshTokenGenerator) Authentication(org.springframework.security.core.Authentication) OAuth2Token(org.springframework.security.oauth2.core.OAuth2Token) Mockito.mock(org.mockito.Mockito.mock) ArgumentMatchers.any(org.mockito.ArgumentMatchers.any) OAuth2ParameterNames(org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames) OidcParameterNames(org.springframework.security.oauth2.core.oidc.endpoint.OidcParameterNames) HashMap(java.util.HashMap) OAuth2AccessTokenGenerator(org.springframework.security.oauth2.server.authorization.OAuth2AccessTokenGenerator) TokenSettings(org.springframework.security.oauth2.server.authorization.config.TokenSettings) JwtEncoder(org.springframework.security.oauth2.jwt.JwtEncoder) Mockito.spy(org.mockito.Mockito.spy) Supplier(java.util.function.Supplier) HashSet(java.util.HashSet) JwtClaimsSet(org.springframework.security.oauth2.jwt.JwtClaimsSet) ArgumentCaptor(org.mockito.ArgumentCaptor) Assertions.assertThatThrownBy(org.assertj.core.api.Assertions.assertThatThrownBy) ClientAuthenticationMethod(org.springframework.security.oauth2.core.ClientAuthenticationMethod) Before(org.junit.Before) OAuth2Authorization(org.springframework.security.oauth2.server.authorization.OAuth2Authorization) OidcIdToken(org.springframework.security.oauth2.core.oidc.OidcIdToken) RegisteredClient(org.springframework.security.oauth2.server.authorization.client.RegisteredClient) OAuth2AuthorizationRequest(org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest) DelegatingOAuth2TokenGenerator(org.springframework.security.oauth2.server.authorization.DelegatingOAuth2TokenGenerator) Test(org.junit.Test) Mockito.times(org.mockito.Mockito.times) OAuth2TokenClaimsContext(org.springframework.security.oauth2.server.authorization.OAuth2TokenClaimsContext) Mockito.when(org.mockito.Mockito.when) OAuth2ErrorCodes(org.springframework.security.oauth2.core.OAuth2ErrorCodes) Assertions.entry(org.assertj.core.api.Assertions.entry) TestRegisteredClients(org.springframework.security.oauth2.server.authorization.client.TestRegisteredClients) OAuth2AuthorizationService(org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService) Mockito.verify(org.mockito.Mockito.verify) ChronoUnit(java.time.temporal.ChronoUnit) OAuth2AuthorizationCode(org.springframework.security.oauth2.core.OAuth2AuthorizationCode) SignatureAlgorithm(org.springframework.security.oauth2.jose.jws.SignatureAlgorithm) OAuth2TokenType(org.springframework.security.oauth2.core.OAuth2TokenType) OAuth2TokenCustomizer(org.springframework.security.oauth2.server.authorization.OAuth2TokenCustomizer) OAuth2TokenFormat(org.springframework.security.oauth2.core.OAuth2TokenFormat) AuthorizationGrantType(org.springframework.security.oauth2.core.AuthorizationGrantType) OAuth2Authorization(org.springframework.security.oauth2.server.authorization.OAuth2Authorization) OAuth2AuthorizationRequest(org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest) RegisteredClient(org.springframework.security.oauth2.server.authorization.client.RegisteredClient) Test(org.junit.Test)

Example 4 with OAuth2AccessTokenAuthenticationToken

use of org.springframework.security.oauth2.server.authorization.authentication.OAuth2AccessTokenAuthenticationToken in project spring-authorization-server by spring-projects.

the class OAuth2AuthorizationCodeAuthenticationProviderTests method authenticateWhenValidCodeThenReturnAccessToken.

@Test
public void authenticateWhenValidCodeThenReturnAccessToken() {
    RegisteredClient registeredClient = TestRegisteredClients.registeredClient().build();
    OAuth2Authorization authorization = TestOAuth2Authorizations.authorization(registeredClient).build();
    when(this.authorizationService.findByToken(eq(AUTHORIZATION_CODE), eq(AUTHORIZATION_CODE_TOKEN_TYPE))).thenReturn(authorization);
    OAuth2ClientAuthenticationToken clientPrincipal = new OAuth2ClientAuthenticationToken(registeredClient, ClientAuthenticationMethod.CLIENT_SECRET_BASIC, registeredClient.getClientSecret());
    OAuth2AuthorizationRequest authorizationRequest = authorization.getAttribute(OAuth2AuthorizationRequest.class.getName());
    OAuth2AuthorizationCodeAuthenticationToken authentication = new OAuth2AuthorizationCodeAuthenticationToken(AUTHORIZATION_CODE, clientPrincipal, authorizationRequest.getRedirectUri(), null);
    when(this.jwtEncoder.encode(any(), any())).thenReturn(createJwt());
    OAuth2AccessTokenAuthenticationToken accessTokenAuthentication = (OAuth2AccessTokenAuthenticationToken) this.authenticationProvider.authenticate(authentication);
    ArgumentCaptor<JwtEncodingContext> jwtEncodingContextCaptor = ArgumentCaptor.forClass(JwtEncodingContext.class);
    verify(this.jwtCustomizer).customize(jwtEncodingContextCaptor.capture());
    JwtEncodingContext jwtEncodingContext = jwtEncodingContextCaptor.getValue();
    assertThat(jwtEncodingContext.getRegisteredClient()).isEqualTo(registeredClient);
    assertThat(jwtEncodingContext.<Authentication>getPrincipal()).isEqualTo(authorization.getAttribute(Principal.class.getName()));
    assertThat(jwtEncodingContext.getAuthorization()).isEqualTo(authorization);
    assertThat(jwtEncodingContext.getAuthorizedScopes()).isEqualTo(authorization.getAttribute(OAuth2Authorization.AUTHORIZED_SCOPE_ATTRIBUTE_NAME));
    assertThat(jwtEncodingContext.getTokenType()).isEqualTo(OAuth2TokenType.ACCESS_TOKEN);
    assertThat(jwtEncodingContext.getAuthorizationGrantType()).isEqualTo(AuthorizationGrantType.AUTHORIZATION_CODE);
    assertThat(jwtEncodingContext.<OAuth2AuthorizationGrantAuthenticationToken>getAuthorizationGrant()).isEqualTo(authentication);
    assertThat(jwtEncodingContext.getHeaders()).isNotNull();
    assertThat(jwtEncodingContext.getClaims()).isNotNull();
    ArgumentCaptor<JwtClaimsSet> jwtClaimsSetCaptor = ArgumentCaptor.forClass(JwtClaimsSet.class);
    verify(this.jwtEncoder).encode(any(), jwtClaimsSetCaptor.capture());
    JwtClaimsSet jwtClaimsSet = jwtClaimsSetCaptor.getValue();
    Set<String> scopes = jwtClaimsSet.getClaim(OAuth2ParameterNames.SCOPE);
    assertThat(scopes).isEqualTo(authorization.getAttribute(OAuth2Authorization.AUTHORIZED_SCOPE_ATTRIBUTE_NAME));
    assertThat(jwtClaimsSet.getSubject()).isEqualTo(authorization.getPrincipalName());
    ArgumentCaptor<OAuth2Authorization> authorizationCaptor = ArgumentCaptor.forClass(OAuth2Authorization.class);
    verify(this.authorizationService).save(authorizationCaptor.capture());
    OAuth2Authorization updatedAuthorization = authorizationCaptor.getValue();
    assertThat(accessTokenAuthentication.getRegisteredClient().getId()).isEqualTo(updatedAuthorization.getRegisteredClientId());
    assertThat(accessTokenAuthentication.getPrincipal()).isEqualTo(clientPrincipal);
    assertThat(accessTokenAuthentication.getAccessToken()).isEqualTo(updatedAuthorization.getAccessToken().getToken());
    assertThat(accessTokenAuthentication.getAccessToken().getScopes()).isEqualTo(authorization.getAttribute(OAuth2Authorization.AUTHORIZED_SCOPE_ATTRIBUTE_NAME));
    assertThat(accessTokenAuthentication.getRefreshToken()).isNotNull();
    assertThat(accessTokenAuthentication.getRefreshToken()).isEqualTo(updatedAuthorization.getRefreshToken().getToken());
    OAuth2Authorization.Token<OAuth2AuthorizationCode> authorizationCode = updatedAuthorization.getToken(OAuth2AuthorizationCode.class);
    assertThat(authorizationCode.isInvalidated()).isTrue();
}
Also used : OAuth2Authorization(org.springframework.security.oauth2.server.authorization.OAuth2Authorization) RegisteredClient(org.springframework.security.oauth2.server.authorization.client.RegisteredClient) JwtClaimsSet(org.springframework.security.oauth2.jwt.JwtClaimsSet) Authentication(org.springframework.security.core.Authentication) OAuth2AuthorizationCode(org.springframework.security.oauth2.core.OAuth2AuthorizationCode) JwtEncodingContext(org.springframework.security.oauth2.server.authorization.JwtEncodingContext) OAuth2AuthorizationRequest(org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest) Test(org.junit.Test)

Example 5 with OAuth2AccessTokenAuthenticationToken

use of org.springframework.security.oauth2.server.authorization.authentication.OAuth2AccessTokenAuthenticationToken in project spring-authorization-server by spring-projects.

the class OAuth2ClientCredentialsAuthenticationProviderTests method authenticateWhenValidAuthenticationThenReturnAccessToken.

@Test
public void authenticateWhenValidAuthenticationThenReturnAccessToken() {
    RegisteredClient registeredClient = TestRegisteredClients.registeredClient2().build();
    OAuth2ClientAuthenticationToken clientPrincipal = new OAuth2ClientAuthenticationToken(registeredClient, ClientAuthenticationMethod.CLIENT_SECRET_BASIC, registeredClient.getClientSecret());
    OAuth2ClientCredentialsAuthenticationToken authentication = new OAuth2ClientCredentialsAuthenticationToken(clientPrincipal, null, null);
    when(this.jwtEncoder.encode(any(), any())).thenReturn(createJwt(registeredClient.getScopes()));
    OAuth2AccessTokenAuthenticationToken accessTokenAuthentication = (OAuth2AccessTokenAuthenticationToken) this.authenticationProvider.authenticate(authentication);
    ArgumentCaptor<JwtEncodingContext> jwtEncodingContextCaptor = ArgumentCaptor.forClass(JwtEncodingContext.class);
    verify(this.jwtCustomizer).customize(jwtEncodingContextCaptor.capture());
    JwtEncodingContext jwtEncodingContext = jwtEncodingContextCaptor.getValue();
    assertThat(jwtEncodingContext.getRegisteredClient()).isEqualTo(registeredClient);
    assertThat(jwtEncodingContext.<Authentication>getPrincipal()).isEqualTo(clientPrincipal);
    assertThat(jwtEncodingContext.getAuthorization()).isNull();
    assertThat(jwtEncodingContext.getTokenType()).isEqualTo(OAuth2TokenType.ACCESS_TOKEN);
    assertThat(jwtEncodingContext.getAuthorizationGrantType()).isEqualTo(AuthorizationGrantType.CLIENT_CREDENTIALS);
    assertThat(jwtEncodingContext.<OAuth2AuthorizationGrantAuthenticationToken>getAuthorizationGrant()).isEqualTo(authentication);
    assertThat(jwtEncodingContext.getHeaders()).isNotNull();
    assertThat(jwtEncodingContext.getClaims()).isNotNull();
    ArgumentCaptor<OAuth2Authorization> authorizationCaptor = ArgumentCaptor.forClass(OAuth2Authorization.class);
    verify(this.authorizationService).save(authorizationCaptor.capture());
    OAuth2Authorization authorization = authorizationCaptor.getValue();
    assertThat(jwtEncodingContext.getAuthorizedScopes()).isEqualTo(authorization.getAttribute(OAuth2Authorization.AUTHORIZED_SCOPE_ATTRIBUTE_NAME));
    assertThat(authorization.getRegisteredClientId()).isEqualTo(clientPrincipal.getRegisteredClient().getId());
    assertThat(authorization.getPrincipalName()).isEqualTo(clientPrincipal.getName());
    assertThat(authorization.getAuthorizationGrantType()).isEqualTo(AuthorizationGrantType.CLIENT_CREDENTIALS);
    assertThat(authorization.getAccessToken()).isNotNull();
    assertThat(authorization.<Set<String>>getAttribute(OAuth2Authorization.AUTHORIZED_SCOPE_ATTRIBUTE_NAME)).isNotNull();
    assertThat(authorization.getAccessToken().getToken().getScopes()).isEqualTo(authorization.getAttribute(OAuth2Authorization.AUTHORIZED_SCOPE_ATTRIBUTE_NAME));
    assertThat(accessTokenAuthentication.getPrincipal()).isEqualTo(clientPrincipal);
    assertThat(accessTokenAuthentication.getAccessToken()).isEqualTo(authorization.getAccessToken().getToken());
}
Also used : Set(java.util.Set) Authentication(org.springframework.security.core.Authentication) JwtEncodingContext(org.springframework.security.oauth2.server.authorization.JwtEncodingContext) OAuth2Authorization(org.springframework.security.oauth2.server.authorization.OAuth2Authorization) RegisteredClient(org.springframework.security.oauth2.server.authorization.client.RegisteredClient) Test(org.junit.Test)

Aggregations

RegisteredClient (org.springframework.security.oauth2.server.authorization.client.RegisteredClient)25 Test (org.junit.Test)20 OAuth2Authorization (org.springframework.security.oauth2.server.authorization.OAuth2Authorization)17 Authentication (org.springframework.security.core.Authentication)16 OAuth2AccessToken (org.springframework.security.oauth2.core.OAuth2AccessToken)11 OAuth2AccessTokenAuthenticationToken (org.springframework.security.oauth2.server.authorization.authentication.OAuth2AccessTokenAuthenticationToken)11 OAuth2ClientAuthenticationToken (org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationToken)9 JwtEncodingContext (org.springframework.security.oauth2.server.authorization.JwtEncodingContext)8 OAuth2AuthorizationRequest (org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest)7 FilterChain (javax.servlet.FilterChain)6 MockHttpServletRequest (org.springframework.mock.web.MockHttpServletRequest)6 MockHttpServletResponse (org.springframework.mock.web.MockHttpServletResponse)6 SecurityContext (org.springframework.security.core.context.SecurityContext)6 Instant (java.time.Instant)5 OAuth2AuthenticationException (org.springframework.security.oauth2.core.OAuth2AuthenticationException)5 OAuth2AuthorizationCode (org.springframework.security.oauth2.core.OAuth2AuthorizationCode)5 OAuth2RefreshToken (org.springframework.security.oauth2.core.OAuth2RefreshToken)5 OidcIdToken (org.springframework.security.oauth2.core.oidc.OidcIdToken)5 OAuth2TokenContext (org.springframework.security.oauth2.server.authorization.OAuth2TokenContext)5 Principal (java.security.Principal)4