Examples with OAuth2ClientAuthenticationToken - org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationToken

Example 1 with OAuth2ClientAuthenticationToken

use of org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationToken in project spring-authorization-server by spring-projects.

the class OAuth2ClientAuthenticationProviderTests method authenticateWhenJwtClientAssertionAndMissingJwkSetUrlThenThrowOAuth2AuthenticationException.

@Test
public void authenticateWhenJwtClientAssertionAndMissingJwkSetUrlThenThrowOAuth2AuthenticationException() {
    // @formatter:off
    RegisteredClient registeredClient = TestRegisteredClients.registeredClient().clientAuthenticationMethod(ClientAuthenticationMethod.PRIVATE_KEY_JWT).clientSettings(ClientSettings.builder().tokenEndpointAuthenticationSigningAlgorithm(SignatureAlgorithm.RS256).build()).build();
    // @formatter:on
    when(this.registeredClientRepository.findByClientId(eq(registeredClient.getClientId()))).thenReturn(registeredClient);
    OAuth2ClientAuthenticationToken authentication = new OAuth2ClientAuthenticationToken(registeredClient.getClientId(), JWT_CLIENT_ASSERTION_AUTHENTICATION_METHOD, "jwt-assertion", null);
    assertThatThrownBy(() -> this.authenticationProvider.authenticate(authentication)).isInstanceOf(OAuth2AuthenticationException.class).extracting(ex -> ((OAuth2AuthenticationException) ex).getError()).satisfies(error -> {
        assertThat(error.getErrorCode()).isEqualTo(OAuth2ErrorCodes.INVALID_CLIENT);
        assertThat(error.getDescription()).isEqualTo("Failed to find a Signature Verifier for Client: '" + registeredClient.getId() + "'. Check to ensure you have configured the JWK Set URL.");
    });
}

Also used : UriComponentsBuilder(org.springframework.web.util.UriComponentsBuilder) ArgumentMatchers.eq(org.mockito.ArgumentMatchers.eq) RegisteredClientRepository(org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository) Assertions.assertThat(org.assertj.core.api.Assertions.assertThat) SecretKeySpec(javax.crypto.spec.SecretKeySpec) JWKSet(com.nimbusds.jose.jwk.JWKSet) Mockito.verifyNoInteractions(org.mockito.Mockito.verifyNoInteractions) MacAlgorithm(org.springframework.security.oauth2.jose.jws.MacAlgorithm) TestOAuth2Authorizations(org.springframework.security.oauth2.server.authorization.TestOAuth2Authorizations) Map(java.util.Map) Jwt(org.springframework.security.oauth2.jwt.Jwt) OctetSequenceKey(com.nimbusds.jose.jwk.OctetSequenceKey) ProviderSettings(org.springframework.security.oauth2.server.authorization.config.ProviderSettings) JWKSource(com.nimbusds.jose.jwk.source.JWKSource) OAuth2AuthenticationException(org.springframework.security.oauth2.core.OAuth2AuthenticationException) Instant(java.time.Instant) StandardCharsets(java.nio.charset.StandardCharsets) NoOpPasswordEncoder(org.springframework.security.crypto.password.NoOpPasswordEncoder) SecretKey(javax.crypto.SecretKey) BadJwtException(org.springframework.security.oauth2.jwt.BadJwtException) Mockito.mock(org.mockito.Mockito.mock) ArgumentMatchers.any(org.mockito.ArgumentMatchers.any) SecurityContext(com.nimbusds.jose.proc.SecurityContext) OAuth2ParameterNames(org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames) PkceParameterNames(org.springframework.security.oauth2.core.endpoint.PkceParameterNames) HashMap(java.util.HashMap) JwtEncoder(org.springframework.security.oauth2.jwt.JwtEncoder) Mockito.spy(org.mockito.Mockito.spy) JwtClaimsSet(org.springframework.security.oauth2.jwt.JwtClaimsSet) Assertions.assertThatThrownBy(org.assertj.core.api.Assertions.assertThatThrownBy) ClientAuthenticationMethod(org.springframework.security.oauth2.core.ClientAuthenticationMethod) JwtValidationException(org.springframework.security.oauth2.jwt.JwtValidationException) ClientSettings(org.springframework.security.oauth2.server.authorization.config.ClientSettings) Before(org.junit.Before) OAuth2Authorization(org.springframework.security.oauth2.server.authorization.OAuth2Authorization) RegisteredClient(org.springframework.security.oauth2.server.authorization.client.RegisteredClient) TestKeys(org.springframework.security.oauth2.jose.TestKeys) TestJwks(org.springframework.security.oauth2.jose.TestJwks) Test(org.junit.Test) Mockito.when(org.mockito.Mockito.when) OAuth2ErrorCodes(org.springframework.security.oauth2.core.OAuth2ErrorCodes) NimbusJwsEncoder(org.springframework.security.oauth2.jwt.NimbusJwsEncoder) TestRegisteredClients(org.springframework.security.oauth2.server.authorization.client.TestRegisteredClients) OAuth2AuthorizationService(org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService) Mockito.verify(org.mockito.Mockito.verify) JoseHeader(org.springframework.security.oauth2.jwt.JoseHeader) ChronoUnit(java.time.temporal.ChronoUnit) PasswordEncoder(org.springframework.security.crypto.password.PasswordEncoder) SignatureAlgorithm(org.springframework.security.oauth2.jose.jws.SignatureAlgorithm) OAuth2TokenType(org.springframework.security.oauth2.core.OAuth2TokenType) Collections(java.util.Collections) AuthorizationGrantType(org.springframework.security.oauth2.core.AuthorizationGrantType) OAuth2AuthenticationException(org.springframework.security.oauth2.core.OAuth2AuthenticationException) RegisteredClient(org.springframework.security.oauth2.server.authorization.client.RegisteredClient) Test(org.junit.Test)

Example 2 with OAuth2ClientAuthenticationToken

use of org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationToken in project spring-authorization-server by spring-projects.

the class OAuth2ClientAuthenticationProviderTests method authenticateWhenInvalidClientSecretThenThrowOAuth2AuthenticationException.

@Test
public void authenticateWhenInvalidClientSecretThenThrowOAuth2AuthenticationException() {
    RegisteredClient registeredClient = TestRegisteredClients.registeredClient().build();
    when(this.registeredClientRepository.findByClientId(eq(registeredClient.getClientId()))).thenReturn(registeredClient);
    OAuth2ClientAuthenticationToken authentication = new OAuth2ClientAuthenticationToken(registeredClient.getClientId(), ClientAuthenticationMethod.CLIENT_SECRET_BASIC, registeredClient.getClientSecret() + "-invalid", null);
    assertThatThrownBy(() -> this.authenticationProvider.authenticate(authentication)).isInstanceOf(OAuth2AuthenticationException.class).extracting(ex -> ((OAuth2AuthenticationException) ex).getError()).satisfies(error -> {
        assertThat(error.getErrorCode()).isEqualTo(OAuth2ErrorCodes.INVALID_CLIENT);
        assertThat(error.getDescription()).contains(OAuth2ParameterNames.CLIENT_SECRET);
    });
    verify(this.passwordEncoder).matches(any(), any());
}

Example 3 with OAuth2ClientAuthenticationToken

use of org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationToken in project spring-authorization-server by spring-projects.

the class OAuth2ClientAuthenticationProviderTests method authenticateWhenJwtClientAssertionAndMissingClientSecretThenThrowOAuth2AuthenticationException.

@Test
public void authenticateWhenJwtClientAssertionAndMissingClientSecretThenThrowOAuth2AuthenticationException() {
    // @formatter:off
    RegisteredClient registeredClient = TestRegisteredClients.registeredClient().clientSecret(null).clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_JWT).clientSettings(ClientSettings.builder().tokenEndpointAuthenticationSigningAlgorithm(MacAlgorithm.HS256).build()).build();
    // @formatter:on
    when(this.registeredClientRepository.findByClientId(eq(registeredClient.getClientId()))).thenReturn(registeredClient);
    OAuth2ClientAuthenticationToken authentication = new OAuth2ClientAuthenticationToken(registeredClient.getClientId(), JWT_CLIENT_ASSERTION_AUTHENTICATION_METHOD, "jwt-assertion", null);
    assertThatThrownBy(() -> this.authenticationProvider.authenticate(authentication)).isInstanceOf(OAuth2AuthenticationException.class).extracting(ex -> ((OAuth2AuthenticationException) ex).getError()).satisfies(error -> {
        assertThat(error.getErrorCode()).isEqualTo(OAuth2ErrorCodes.INVALID_CLIENT);
        assertThat(error.getDescription()).isEqualTo("Failed to find a Signature Verifier for Client: '" + registeredClient.getId() + "'. Check to ensure you have configured the client secret.");
    });
}

Example 4 with OAuth2ClientAuthenticationToken

use of org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationToken in project spring-authorization-server by spring-projects.

the class OAuth2ClientAuthenticationProviderTests method authenticateWhenInvalidClientIdThenThrowOAuth2AuthenticationException.

@Test
public void authenticateWhenInvalidClientIdThenThrowOAuth2AuthenticationException() {
    RegisteredClient registeredClient = TestRegisteredClients.registeredClient().build();
    when(this.registeredClientRepository.findByClientId(eq(registeredClient.getClientId()))).thenReturn(registeredClient);
    OAuth2ClientAuthenticationToken authentication = new OAuth2ClientAuthenticationToken(registeredClient.getClientId() + "-invalid", ClientAuthenticationMethod.CLIENT_SECRET_BASIC, registeredClient.getClientSecret(), null);
    assertThatThrownBy(() -> this.authenticationProvider.authenticate(authentication)).isInstanceOf(OAuth2AuthenticationException.class).extracting(ex -> ((OAuth2AuthenticationException) ex).getError()).satisfies(error -> {
        assertThat(error.getErrorCode()).isEqualTo(OAuth2ErrorCodes.INVALID_CLIENT);
        assertThat(error.getDescription()).contains(OAuth2ParameterNames.CLIENT_ID);
    });
}

Example 5 with OAuth2ClientAuthenticationToken

use of org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationToken in project spring-authorization-server by spring-projects.

the class OAuth2AuthorizationCodeAuthenticationProviderTests method authenticateWhenValidCodeAndAuthenticationRequestThenReturnIdToken.

@Test
public void authenticateWhenValidCodeAndAuthenticationRequestThenReturnIdToken() {
    RegisteredClient registeredClient = TestRegisteredClients.registeredClient().scope(OidcScopes.OPENID).build();
    OAuth2Authorization authorization = TestOAuth2Authorizations.authorization(registeredClient).build();
    when(this.authorizationService.findByToken(eq(AUTHORIZATION_CODE), eq(AUTHORIZATION_CODE_TOKEN_TYPE))).thenReturn(authorization);
    OAuth2ClientAuthenticationToken clientPrincipal = new OAuth2ClientAuthenticationToken(registeredClient, ClientAuthenticationMethod.CLIENT_SECRET_BASIC, registeredClient.getClientSecret());
    OAuth2AuthorizationRequest authorizationRequest = authorization.getAttribute(OAuth2AuthorizationRequest.class.getName());
    OAuth2AuthorizationCodeAuthenticationToken authentication = new OAuth2AuthorizationCodeAuthenticationToken(AUTHORIZATION_CODE, clientPrincipal, authorizationRequest.getRedirectUri(), null);
    when(this.jwtEncoder.encode(any(), any())).thenReturn(createJwt());
    OAuth2AccessTokenAuthenticationToken accessTokenAuthentication = (OAuth2AccessTokenAuthenticationToken) this.authenticationProvider.authenticate(authentication);
    ArgumentCaptor<JwtEncodingContext> jwtEncodingContextCaptor = ArgumentCaptor.forClass(JwtEncodingContext.class);
    verify(this.jwtCustomizer, times(2)).customize(jwtEncodingContextCaptor.capture());
    // Access Token context
    JwtEncodingContext accessTokenContext = jwtEncodingContextCaptor.getAllValues().get(0);
    assertThat(accessTokenContext.getRegisteredClient()).isEqualTo(registeredClient);
    assertThat(accessTokenContext.<Authentication>getPrincipal()).isEqualTo(authorization.getAttribute(Principal.class.getName()));
    assertThat(accessTokenContext.getAuthorization()).isEqualTo(authorization);
    assertThat(accessTokenContext.getAuthorizedScopes()).isEqualTo(authorization.getAttribute(OAuth2Authorization.AUTHORIZED_SCOPE_ATTRIBUTE_NAME));
    assertThat(accessTokenContext.getTokenType()).isEqualTo(OAuth2TokenType.ACCESS_TOKEN);
    assertThat(accessTokenContext.getAuthorizationGrantType()).isEqualTo(AuthorizationGrantType.AUTHORIZATION_CODE);
    assertThat(accessTokenContext.<OAuth2AuthorizationGrantAuthenticationToken>getAuthorizationGrant()).isEqualTo(authentication);
    assertThat(accessTokenContext.getHeaders()).isNotNull();
    assertThat(accessTokenContext.getClaims()).isNotNull();
    Map<String, Object> claims = new HashMap<>();
    accessTokenContext.getClaims().claims(claims::putAll);
    assertThat(claims).flatExtracting(OAuth2ParameterNames.SCOPE).containsExactlyInAnyOrder(OidcScopes.OPENID, "scope1");
    // ID Token context
    JwtEncodingContext idTokenContext = jwtEncodingContextCaptor.getAllValues().get(1);
    assertThat(idTokenContext.getRegisteredClient()).isEqualTo(registeredClient);
    assertThat(idTokenContext.<Authentication>getPrincipal()).isEqualTo(authorization.getAttribute(Principal.class.getName()));
    assertThat(idTokenContext.getAuthorization()).isEqualTo(authorization);
    assertThat(idTokenContext.getAuthorizedScopes()).isEqualTo(authorization.getAttribute(OAuth2Authorization.AUTHORIZED_SCOPE_ATTRIBUTE_NAME));
    assertThat(idTokenContext.getTokenType().getValue()).isEqualTo(OidcParameterNames.ID_TOKEN);
    assertThat(idTokenContext.getAuthorizationGrantType()).isEqualTo(AuthorizationGrantType.AUTHORIZATION_CODE);
    assertThat(idTokenContext.<OAuth2AuthorizationGrantAuthenticationToken>getAuthorizationGrant()).isEqualTo(authentication);
    assertThat(idTokenContext.getHeaders()).isNotNull();
    assertThat(idTokenContext.getClaims()).isNotNull();
    // Access token and ID Token
    verify(this.jwtEncoder, times(2)).encode(any(), any());
    ArgumentCaptor<OAuth2Authorization> authorizationCaptor = ArgumentCaptor.forClass(OAuth2Authorization.class);
    verify(this.authorizationService).save(authorizationCaptor.capture());
    OAuth2Authorization updatedAuthorization = authorizationCaptor.getValue();
    assertThat(accessTokenAuthentication.getRegisteredClient().getId()).isEqualTo(updatedAuthorization.getRegisteredClientId());
    assertThat(accessTokenAuthentication.getPrincipal()).isEqualTo(clientPrincipal);
    assertThat(accessTokenAuthentication.getAccessToken()).isEqualTo(updatedAuthorization.getAccessToken().getToken());
    Set<String> accessTokenScopes = new HashSet<>(updatedAuthorization.getAttribute(OAuth2Authorization.AUTHORIZED_SCOPE_ATTRIBUTE_NAME));
    assertThat(accessTokenAuthentication.getAccessToken().getScopes()).isEqualTo(accessTokenScopes);
    assertThat(accessTokenAuthentication.getRefreshToken()).isNotNull();
    assertThat(accessTokenAuthentication.getRefreshToken()).isEqualTo(updatedAuthorization.getRefreshToken().getToken());
    OAuth2Authorization.Token<OAuth2AuthorizationCode> authorizationCode = updatedAuthorization.getToken(OAuth2AuthorizationCode.class);
    assertThat(authorizationCode.isInvalidated()).isTrue();
    OAuth2Authorization.Token<OidcIdToken> idToken = updatedAuthorization.getToken(OidcIdToken.class);
    assertThat(idToken).isNotNull();
    assertThat(accessTokenAuthentication.getAdditionalParameters()).containsExactly(entry(OidcParameterNames.ID_TOKEN, idToken.getToken().getTokenValue()));
}

Also used : OidcIdToken(org.springframework.security.oauth2.core.oidc.OidcIdToken) HashMap(java.util.HashMap) OAuth2Authorization(org.springframework.security.oauth2.server.authorization.OAuth2Authorization) RegisteredClient(org.springframework.security.oauth2.server.authorization.client.RegisteredClient) Authentication(org.springframework.security.core.Authentication) OAuth2AuthorizationCode(org.springframework.security.oauth2.core.OAuth2AuthorizationCode) JwtEncodingContext(org.springframework.security.oauth2.server.authorization.JwtEncodingContext) OAuth2AuthorizationRequest(org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest) HashSet(java.util.HashSet) Test(org.junit.Test)

Aggregations

RegisteredClient (org.springframework.security.oauth2.server.authorization.client.RegisteredClient)103 Test (org.junit.Test)102 OAuth2Authorization (org.springframework.security.oauth2.server.authorization.OAuth2Authorization)68 OAuth2AuthenticationException (org.springframework.security.oauth2.core.OAuth2AuthenticationException)51 Instant (java.time.Instant)38 Authentication (org.springframework.security.core.Authentication)36 ClientAuthenticationMethod (org.springframework.security.oauth2.core.ClientAuthenticationMethod)32 OAuth2TokenType (org.springframework.security.oauth2.core.OAuth2TokenType)32 Jwt (org.springframework.security.oauth2.jwt.Jwt)32 Assertions.assertThat (org.assertj.core.api.Assertions.assertThat)31 Assertions.assertThatThrownBy (org.assertj.core.api.Assertions.assertThatThrownBy)31 TestRegisteredClients (org.springframework.security.oauth2.server.authorization.client.TestRegisteredClients)31 AuthorizationGrantType (org.springframework.security.oauth2.core.AuthorizationGrantType)30 OAuth2ParameterNames (org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames)30 OAuth2ClientAuthenticationToken (org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationToken)30 ProviderSettings (org.springframework.security.oauth2.server.authorization.config.ProviderSettings)30 ChronoUnit (java.time.temporal.ChronoUnit)29 HashMap (java.util.HashMap)29 Before (org.junit.Before)29 ArgumentMatchers.any (org.mockito.ArgumentMatchers.any)29