Example 1 with NimbusOpaqueTokenIntrospector
use of org.springframework.security.oauth2.server.resource.introspection.NimbusOpaqueTokenIntrospector in project spring-security by spring-projects.
the class NimbusOpaqueTokenIntrospectorTests method introspectWhenIntrospectionTokenReturnsMalformedScopeThenEmptyAuthorities.
// gh-7563
@Test
public void introspectWhenIntrospectionTokenReturnsMalformedScopeThenEmptyAuthorities() {
RestOperations restOperations = mock(RestOperations.class);
OpaqueTokenIntrospector introspectionClient = new NimbusOpaqueTokenIntrospector(INTROSPECTION_URL, restOperations);
given(restOperations.exchange(any(RequestEntity.class), eq(String.class))).willReturn(MALFORMED_SCOPE);
OAuth2AuthenticatedPrincipal principal = introspectionClient.introspect("token");
assertThat(principal.getAuthorities()).isEmpty();
JSONArray scope = principal.getAttribute("scope");
assertThat(scope).containsExactly("read", "write", "dolphin");
}
Also used :
OAuth2AuthenticatedPrincipal(org.springframework.security.oauth2.core.OAuth2AuthenticatedPrincipal)
JSONArray(net.minidev.json.JSONArray)
RestOperations(org.springframework.web.client.RestOperations)
RequestEntity(org.springframework.http.RequestEntity)
Test(org.junit.jupiter.api.Test)
ParameterizedTest(org.junit.jupiter.params.ParameterizedTest)
Example 2 with NimbusOpaqueTokenIntrospector
use of org.springframework.security.oauth2.server.resource.introspection.NimbusOpaqueTokenIntrospector in project spring-security by spring-projects.
the class NimbusOpaqueTokenIntrospectorTests method introspectWhenActiveTokenThenOk.
@Test
public void introspectWhenActiveTokenThenOk() throws Exception {
try (MockWebServer server = new MockWebServer()) {
server.setDispatcher(requiresAuth(CLIENT_ID, CLIENT_SECRET, ACTIVE_RESPONSE));
String introspectUri = server.url("/introspect").toString();
OpaqueTokenIntrospector introspectionClient = new NimbusOpaqueTokenIntrospector(introspectUri, CLIENT_ID, CLIENT_SECRET);
OAuth2AuthenticatedPrincipal authority = introspectionClient.introspect("token");
// @formatter:off
assertThat(authority.getAttributes()).isNotNull().containsEntry(OAuth2TokenIntrospectionClaimNames.ACTIVE, true).containsEntry(OAuth2TokenIntrospectionClaimNames.AUD, Arrays.asList("https://protected.example.net/resource")).containsEntry(OAuth2TokenIntrospectionClaimNames.CLIENT_ID, "l238j323ds-23ij4").containsEntry(OAuth2TokenIntrospectionClaimNames.EXP, Instant.ofEpochSecond(1419356238)).containsEntry(OAuth2TokenIntrospectionClaimNames.ISS, "https://server.example.com/").containsEntry(OAuth2TokenIntrospectionClaimNames.SCOPE, Arrays.asList("read", "write", "dolphin")).containsEntry(OAuth2TokenIntrospectionClaimNames.SUB, "Z5O3upPC88QrAjx00dis").containsEntry(OAuth2TokenIntrospectionClaimNames.USERNAME, "jdoe").containsEntry("extension_field", "twenty-seven");
// @formatter:on
}
}
Also used :
OAuth2AuthenticatedPrincipal(org.springframework.security.oauth2.core.OAuth2AuthenticatedPrincipal)
MockWebServer(okhttp3.mockwebserver.MockWebServer)
Test(org.junit.jupiter.api.Test)
ParameterizedTest(org.junit.jupiter.params.ParameterizedTest)
Example 3 with NimbusOpaqueTokenIntrospector
use of org.springframework.security.oauth2.server.resource.introspection.NimbusOpaqueTokenIntrospector in project spring-security by spring-projects.
the class NimbusOpaqueTokenIntrospectorTests method introspectWhenActiveTokenThenParsesValuesInResponse.
@Test
public void introspectWhenActiveTokenThenParsesValuesInResponse() {
Map<String, Object> introspectedValues = new HashMap<>();
introspectedValues.put(OAuth2TokenIntrospectionClaimNames.ACTIVE, true);
introspectedValues.put(OAuth2TokenIntrospectionClaimNames.AUD, Arrays.asList("aud"));
introspectedValues.put(OAuth2TokenIntrospectionClaimNames.NBF, 29348723984L);
RestOperations restOperations = mock(RestOperations.class);
OpaqueTokenIntrospector introspectionClient = new NimbusOpaqueTokenIntrospector(INTROSPECTION_URL, restOperations);
given(restOperations.exchange(any(RequestEntity.class), eq(String.class))).willReturn(response(new JSONObject(introspectedValues).toJSONString()));
OAuth2AuthenticatedPrincipal authority = introspectionClient.introspect("token");
// @formatter:off
assertThat(authority.getAttributes()).isNotNull().containsEntry(OAuth2TokenIntrospectionClaimNames.ACTIVE, true).containsEntry(OAuth2TokenIntrospectionClaimNames.AUD, Arrays.asList("aud")).containsEntry(OAuth2TokenIntrospectionClaimNames.NBF, Instant.ofEpochSecond(29348723984L)).doesNotContainKey(OAuth2TokenIntrospectionClaimNames.CLIENT_ID).doesNotContainKey(OAuth2TokenIntrospectionClaimNames.SCOPE);
// @formatter:on
}
Also used :
JSONObject(net.minidev.json.JSONObject)
HashMap(java.util.HashMap)
OAuth2AuthenticatedPrincipal(org.springframework.security.oauth2.core.OAuth2AuthenticatedPrincipal)
JSONObject(net.minidev.json.JSONObject)
RestOperations(org.springframework.web.client.RestOperations)
RequestEntity(org.springframework.http.RequestEntity)
Test(org.junit.jupiter.api.Test)
ParameterizedTest(org.junit.jupiter.params.ParameterizedTest)
Aggregations
Test (org.junit.jupiter.api.Test)3
ParameterizedTest (org.junit.jupiter.params.ParameterizedTest)3
OAuth2AuthenticatedPrincipal (org.springframework.security.oauth2.core.OAuth2AuthenticatedPrincipal)3
RequestEntity (org.springframework.http.RequestEntity)2
RestOperations (org.springframework.web.client.RestOperations)2
HashMap (java.util.HashMap)1
JSONArray (net.minidev.json.JSONArray)1
JSONObject (net.minidev.json.JSONObject)1
MockWebServer (okhttp3.mockwebserver.MockWebServer)1
