Examples with OidcClientRegistrationAuthenticationToken org.springframework.security.oauth2.server.authorization.oidc.authentication.OidcClientRegistrationAuthenticationToken used on opensource projects

Example 1 with OidcClientRegistrationAuthenticationToken

use of org.springframework.security.oauth2.server.authorization.oidc.authentication.OidcClientRegistrationAuthenticationToken in project spring-authorization-server by spring-projects.

the class OidcClientRegistrationAuthenticationProviderTests method authenticateWhenClientConfigurationRequestClientIdNotEqualToAuthorizedClientThenThrowOAuth2AuthenticationException.

@Test
public void authenticateWhenClientConfigurationRequestClientIdNotEqualToAuthorizedClientThenThrowOAuth2AuthenticationException() {
    Jwt jwt = createJwtClientConfiguration();
    OAuth2AccessToken jwtAccessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER, jwt.getTokenValue(), jwt.getIssuedAt(), jwt.getExpiresAt(), jwt.getClaim(OAuth2ParameterNames.SCOPE));
    RegisteredClient registeredClient = TestRegisteredClients.registeredClient().build();
    RegisteredClient authorizedRegisteredClient = TestRegisteredClients.registeredClient().id("registration-2").clientId("client-2").build();
    OAuth2Authorization authorization = TestOAuth2Authorizations.authorization(authorizedRegisteredClient, jwtAccessToken, jwt.getClaims()).build();
    when(this.authorizationService.findByToken(eq(jwtAccessToken.getTokenValue()), eq(OAuth2TokenType.ACCESS_TOKEN))).thenReturn(authorization);
    when(this.registeredClientRepository.findByClientId(eq(registeredClient.getClientId()))).thenReturn(registeredClient);
    JwtAuthenticationToken principal = new JwtAuthenticationToken(jwt, AuthorityUtils.createAuthorityList("SCOPE_client.read"));
    OidcClientRegistrationAuthenticationToken authentication = new OidcClientRegistrationAuthenticationToken(principal, registeredClient.getClientId());
    assertThatThrownBy(() -> this.authenticationProvider.authenticate(authentication)).isInstanceOf(OAuth2AuthenticationException.class).extracting(ex -> ((OAuth2AuthenticationException) ex).getError()).extracting("errorCode").isEqualTo(OAuth2ErrorCodes.INVALID_CLIENT);
    verify(this.authorizationService).findByToken(eq(jwtAccessToken.getTokenValue()), eq(OAuth2TokenType.ACCESS_TOKEN));
    verify(this.registeredClientRepository).findByClientId(eq(registeredClient.getClientId()));
}

Example 2 with OidcClientRegistrationAuthenticationToken

use of org.springframework.security.oauth2.server.authorization.oidc.authentication.OidcClientRegistrationAuthenticationToken in project spring-authorization-server by spring-projects.

the class OidcClientRegistrationAuthenticationProviderTests method authenticateWhenRegistrationAccessTokenNotGeneratedThenThrowOAuth2AuthenticationException.

@Test
public void authenticateWhenRegistrationAccessTokenNotGeneratedThenThrowOAuth2AuthenticationException() {
    Jwt jwt = createJwtClientRegistration();
    OAuth2AccessToken jwtAccessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER, jwt.getTokenValue(), jwt.getIssuedAt(), jwt.getExpiresAt(), jwt.getClaim(OAuth2ParameterNames.SCOPE));
    RegisteredClient registeredClient = TestRegisteredClients.registeredClient().build();
    OAuth2Authorization authorization = TestOAuth2Authorizations.authorization(registeredClient, jwtAccessToken, jwt.getClaims()).build();
    when(this.authorizationService.findByToken(eq(jwtAccessToken.getTokenValue()), eq(OAuth2TokenType.ACCESS_TOKEN))).thenReturn(authorization);
    doReturn(null).when(this.tokenGenerator).generate(any());
    JwtAuthenticationToken principal = new JwtAuthenticationToken(jwt, AuthorityUtils.createAuthorityList("SCOPE_client.create"));
    // @formatter:off
    OidcClientRegistration clientRegistration = OidcClientRegistration.builder().clientName("client-name").redirectUri("https://client.example.com").grantType(AuthorizationGrantType.AUTHORIZATION_CODE.getValue()).grantType(AuthorizationGrantType.CLIENT_CREDENTIALS.getValue()).scope("scope1").scope("scope2").build();
    // @formatter:on
    OidcClientRegistrationAuthenticationToken authentication = new OidcClientRegistrationAuthenticationToken(principal, clientRegistration);
    assertThatThrownBy(() -> this.authenticationProvider.authenticate(authentication)).isInstanceOf(OAuth2AuthenticationException.class).extracting(ex -> ((OAuth2AuthenticationException) ex).getError()).satisfies(error -> {
        assertThat(error.getErrorCode()).isEqualTo(OAuth2ErrorCodes.SERVER_ERROR);
        assertThat(error.getDescription()).contains("The token generator failed to generate the registration access token.");
    });
}

Example 3 with OidcClientRegistrationAuthenticationToken

use of org.springframework.security.oauth2.server.authorization.oidc.authentication.OidcClientRegistrationAuthenticationToken in project spring-authorization-server by spring-projects.

the class OidcClientRegistrationAuthenticationProviderTests method authenticateWhenClientRegistrationRequestAndAccessTokenContainsRequiredScopeAndAdditionalScopeThenThrowOAuth2AuthenticationException.

@Test
public void authenticateWhenClientRegistrationRequestAndAccessTokenContainsRequiredScopeAndAdditionalScopeThenThrowOAuth2AuthenticationException() {
    Jwt jwt = createJwt(new HashSet<>(Arrays.asList("client.create", "scope1")));
    OAuth2AccessToken jwtAccessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER, jwt.getTokenValue(), jwt.getIssuedAt(), jwt.getExpiresAt(), jwt.getClaim(OAuth2ParameterNames.SCOPE));
    RegisteredClient registeredClient = TestRegisteredClients.registeredClient().build();
    OAuth2Authorization authorization = TestOAuth2Authorizations.authorization(registeredClient, jwtAccessToken, jwt.getClaims()).build();
    when(this.authorizationService.findByToken(eq(jwtAccessToken.getTokenValue()), eq(OAuth2TokenType.ACCESS_TOKEN))).thenReturn(authorization);
    JwtAuthenticationToken principal = new JwtAuthenticationToken(jwt, AuthorityUtils.createAuthorityList("SCOPE_client.create", "SCOPE_scope1"));
    OidcClientRegistration clientRegistration = OidcClientRegistration.builder().redirectUri("https://client.example.com").build();
    OidcClientRegistrationAuthenticationToken authentication = new OidcClientRegistrationAuthenticationToken(principal, clientRegistration);
    assertThatThrownBy(() -> this.authenticationProvider.authenticate(authentication)).isInstanceOf(OAuth2AuthenticationException.class).extracting(ex -> ((OAuth2AuthenticationException) ex).getError()).extracting("errorCode").isEqualTo(OAuth2ErrorCodes.INVALID_TOKEN);
    verify(this.authorizationService).findByToken(eq(jwtAccessToken.getTokenValue()), eq(OAuth2TokenType.ACCESS_TOKEN));
}

Example 4 with OidcClientRegistrationAuthenticationToken

use of org.springframework.security.oauth2.server.authorization.oidc.authentication.OidcClientRegistrationAuthenticationToken in project spring-authorization-server by spring-projects.

the class OidcClientRegistrationAuthenticationProviderTests method authenticateWhenAccessTokenNotActiveThenThrowOAuth2AuthenticationException.

@Test
public void authenticateWhenAccessTokenNotActiveThenThrowOAuth2AuthenticationException() {
    Jwt jwt = createJwtClientRegistration();
    OAuth2AccessToken jwtAccessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER, jwt.getTokenValue(), jwt.getIssuedAt(), jwt.getExpiresAt(), jwt.getClaim(OAuth2ParameterNames.SCOPE));
    RegisteredClient registeredClient = TestRegisteredClients.registeredClient().build();
    OAuth2Authorization authorization = TestOAuth2Authorizations.authorization(registeredClient, jwtAccessToken, jwt.getClaims()).build();
    authorization = OidcAuthenticationProviderUtils.invalidate(authorization, jwtAccessToken);
    when(this.authorizationService.findByToken(eq(jwtAccessToken.getTokenValue()), eq(OAuth2TokenType.ACCESS_TOKEN))).thenReturn(authorization);
    JwtAuthenticationToken principal = new JwtAuthenticationToken(jwt, AuthorityUtils.createAuthorityList("SCOPE_client.create"));
    OidcClientRegistration clientRegistration = OidcClientRegistration.builder().redirectUri("https://client.example.com").build();
    OidcClientRegistrationAuthenticationToken authentication = new OidcClientRegistrationAuthenticationToken(principal, clientRegistration);
    assertThatThrownBy(() -> this.authenticationProvider.authenticate(authentication)).isInstanceOf(OAuth2AuthenticationException.class).extracting(ex -> ((OAuth2AuthenticationException) ex).getError()).extracting("errorCode").isEqualTo(OAuth2ErrorCodes.INVALID_TOKEN);
    verify(this.authorizationService).findByToken(eq(jwtAccessToken.getTokenValue()), eq(OAuth2TokenType.ACCESS_TOKEN));
}

Example 5 with OidcClientRegistrationAuthenticationToken

use of org.springframework.security.oauth2.server.authorization.oidc.authentication.OidcClientRegistrationAuthenticationToken in project spring-authorization-server by spring-projects.

the class OidcClientRegistrationAuthenticationProviderTests method authenticateWhenClientRegistrationRequestAndValidAccessTokenThenReturnClientRegistration.

@Test
public void authenticateWhenClientRegistrationRequestAndValidAccessTokenThenReturnClientRegistration() {
    Jwt jwt = createJwtClientRegistration();
    OAuth2AccessToken jwtAccessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER, jwt.getTokenValue(), jwt.getIssuedAt(), jwt.getExpiresAt(), jwt.getClaim(OAuth2ParameterNames.SCOPE));
    RegisteredClient registeredClient = TestRegisteredClients.registeredClient().build();
    OAuth2Authorization authorization = TestOAuth2Authorizations.authorization(registeredClient, jwtAccessToken, jwt.getClaims()).build();
    when(this.authorizationService.findByToken(eq(jwtAccessToken.getTokenValue()), eq(OAuth2TokenType.ACCESS_TOKEN))).thenReturn(authorization);
    when(this.jwtEncoder.encode(any(), any())).thenReturn(createJwtClientConfiguration());
    JwtAuthenticationToken principal = new JwtAuthenticationToken(jwt, AuthorityUtils.createAuthorityList("SCOPE_client.create"));
    // @formatter:off
    OidcClientRegistration clientRegistration = OidcClientRegistration.builder().clientName("client-name").redirectUri("https://client.example.com").grantType(AuthorizationGrantType.AUTHORIZATION_CODE.getValue()).grantType(AuthorizationGrantType.CLIENT_CREDENTIALS.getValue()).scope("scope1").scope("scope2").build();
    // @formatter:on
    OidcClientRegistrationAuthenticationToken authentication = new OidcClientRegistrationAuthenticationToken(principal, clientRegistration);
    OidcClientRegistrationAuthenticationToken authenticationResult = (OidcClientRegistrationAuthenticationToken) this.authenticationProvider.authenticate(authentication);
    ArgumentCaptor<RegisteredClient> registeredClientCaptor = ArgumentCaptor.forClass(RegisteredClient.class);
    ArgumentCaptor<OAuth2Authorization> authorizationCaptor = ArgumentCaptor.forClass(OAuth2Authorization.class);
    verify(this.authorizationService).findByToken(eq(jwtAccessToken.getTokenValue()), eq(OAuth2TokenType.ACCESS_TOKEN));
    verify(this.registeredClientRepository).save(registeredClientCaptor.capture());
    verify(this.authorizationService, times(2)).save(authorizationCaptor.capture());
    verify(this.jwtEncoder).encode(any(), any());
    // assert "registration" access token, which should be used for subsequent calls to client configuration endpoint
    OAuth2Authorization authorizationResult = authorizationCaptor.getAllValues().get(0);
    assertThat(authorizationResult.getAccessToken().getToken().getScopes()).containsExactly("client.read");
    assertThat(authorizationResult.getAccessToken().isActive()).isTrue();
    assertThat(authorizationResult.getRefreshToken()).isNull();
    // assert "initial" access token is invalidated
    authorizationResult = authorizationCaptor.getAllValues().get(1);
    assertThat(authorizationResult.getAccessToken().isInvalidated()).isTrue();
    if (authorizationResult.getRefreshToken() != null) {
        assertThat(authorizationResult.getRefreshToken().isInvalidated()).isTrue();
    }
    RegisteredClient registeredClientResult = registeredClientCaptor.getValue();
    assertThat(registeredClientResult.getId()).isNotNull();
    assertThat(registeredClientResult.getClientId()).isNotNull();
    assertThat(registeredClientResult.getClientIdIssuedAt()).isNotNull();
    assertThat(registeredClientResult.getClientSecret()).isNotNull();
    assertThat(registeredClientResult.getClientName()).isEqualTo(clientRegistration.getClientName());
    assertThat(registeredClientResult.getClientAuthenticationMethods()).containsExactly(ClientAuthenticationMethod.CLIENT_SECRET_BASIC);
    assertThat(registeredClientResult.getRedirectUris()).containsExactly("https://client.example.com");
    assertThat(registeredClientResult.getAuthorizationGrantTypes()).containsExactlyInAnyOrder(AuthorizationGrantType.AUTHORIZATION_CODE, AuthorizationGrantType.CLIENT_CREDENTIALS);
    assertThat(registeredClientResult.getScopes()).containsExactlyInAnyOrder("scope1", "scope2");
    assertThat(registeredClientResult.getClientSettings().isRequireProofKey()).isTrue();
    assertThat(registeredClientResult.getClientSettings().isRequireAuthorizationConsent()).isTrue();
    assertThat(registeredClientResult.getTokenSettings().getIdTokenSignatureAlgorithm()).isEqualTo(SignatureAlgorithm.RS256);
    OidcClientRegistration clientRegistrationResult = authenticationResult.getClientRegistration();
    assertThat(clientRegistrationResult.getClientId()).isEqualTo(registeredClientResult.getClientId());
    assertThat(clientRegistrationResult.getClientIdIssuedAt()).isEqualTo(registeredClientResult.getClientIdIssuedAt());
    assertThat(clientRegistrationResult.getClientSecret()).isEqualTo(registeredClientResult.getClientSecret());
    assertThat(clientRegistrationResult.getClientSecretExpiresAt()).isEqualTo(registeredClientResult.getClientSecretExpiresAt());
    assertThat(clientRegistrationResult.getClientName()).isEqualTo(registeredClientResult.getClientName());
    assertThat(clientRegistrationResult.getRedirectUris()).containsExactlyInAnyOrderElementsOf(registeredClientResult.getRedirectUris());
    List<String> grantTypes = new ArrayList<>();
    registeredClientResult.getAuthorizationGrantTypes().forEach(authorizationGrantType -> grantTypes.add(authorizationGrantType.getValue()));
    assertThat(clientRegistrationResult.getGrantTypes()).containsExactlyInAnyOrderElementsOf(grantTypes);
    assertThat(clientRegistrationResult.getResponseTypes()).containsExactly(OAuth2AuthorizationResponseType.CODE.getValue());
    assertThat(clientRegistrationResult.getScopes()).containsExactlyInAnyOrderElementsOf(registeredClientResult.getScopes());
    assertThat(clientRegistrationResult.getTokenEndpointAuthenticationMethod()).isEqualTo(registeredClientResult.getClientAuthenticationMethods().iterator().next().getValue());
    assertThat(clientRegistrationResult.getIdTokenSignedResponseAlgorithm()).isEqualTo(registeredClientResult.getTokenSettings().getIdTokenSignatureAlgorithm().getName());
    ProviderContext providerContext = ProviderContextHolder.getProviderContext();
    String expectedRegistrationClientUrl = UriComponentsBuilder.fromUriString(providerContext.getIssuer()).path(providerContext.getProviderSettings().getOidcClientRegistrationEndpoint()).queryParam(OAuth2ParameterNames.CLIENT_ID, registeredClientResult.getClientId()).toUriString();
    assertThat(clientRegistrationResult.getRegistrationClientUrl().toString()).isEqualTo(expectedRegistrationClientUrl);
    assertThat(clientRegistrationResult.getRegistrationAccessToken()).isEqualTo(jwt.getTokenValue());
}