Search in sources :

Example 1 with OpaqueTokenIntrospector

use of org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector in project spring-security by spring-projects.

the class OpaqueTokenAuthenticationProviderTests method authenticateWhenIntrospectionEndpointThrowsExceptionThenInvalidToken.

@Test
public void authenticateWhenIntrospectionEndpointThrowsExceptionThenInvalidToken() {
    OpaqueTokenIntrospector introspector = mock(OpaqueTokenIntrospector.class);
    given(introspector.introspect(any())).willThrow(new OAuth2IntrospectionException("with \"invalid\" chars"));
    OpaqueTokenAuthenticationProvider provider = new OpaqueTokenAuthenticationProvider(introspector);
    assertThatExceptionOfType(AuthenticationServiceException.class).isThrownBy(() -> provider.authenticate(new BearerTokenAuthenticationToken("token")));
}
Also used : OpaqueTokenIntrospector(org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector) OAuth2IntrospectionException(org.springframework.security.oauth2.server.resource.introspection.OAuth2IntrospectionException) BearerTokenAuthenticationToken(org.springframework.security.oauth2.server.resource.BearerTokenAuthenticationToken) AuthenticationServiceException(org.springframework.security.authentication.AuthenticationServiceException) Test(org.junit.jupiter.api.Test)

Example 2 with OpaqueTokenIntrospector

use of org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector in project spring-security by spring-projects.

the class SpringOpaqueTokenIntrospectorTests method introspectWhenActiveTokenThenParsesValuesInResponse.

@Test
public void introspectWhenActiveTokenThenParsesValuesInResponse() {
    Map<String, Object> introspectedValues = new HashMap<>();
    introspectedValues.put(OAuth2TokenIntrospectionClaimNames.ACTIVE, true);
    introspectedValues.put(OAuth2TokenIntrospectionClaimNames.AUD, Arrays.asList("aud"));
    introspectedValues.put(OAuth2TokenIntrospectionClaimNames.NBF, 29348723984L);
    RestOperations restOperations = mock(RestOperations.class);
    OpaqueTokenIntrospector introspectionClient = new SpringOpaqueTokenIntrospector(INTROSPECTION_URL, restOperations);
    given(restOperations.exchange(any(RequestEntity.class), eq(STRING_OBJECT_MAP))).willReturn(response(introspectedValues));
    OAuth2AuthenticatedPrincipal authority = introspectionClient.introspect("token");
    // @formatter:off
    assertThat(authority.getAttributes()).isNotNull().containsEntry(OAuth2TokenIntrospectionClaimNames.ACTIVE, true).containsEntry(OAuth2TokenIntrospectionClaimNames.AUD, Arrays.asList("aud")).containsEntry(OAuth2TokenIntrospectionClaimNames.NBF, Instant.ofEpochSecond(29348723984L)).doesNotContainKey(OAuth2TokenIntrospectionClaimNames.CLIENT_ID).doesNotContainKey(OAuth2TokenIntrospectionClaimNames.SCOPE);
// @formatter:on
}
Also used : HashMap(java.util.HashMap) OAuth2AuthenticatedPrincipal(org.springframework.security.oauth2.core.OAuth2AuthenticatedPrincipal) RestOperations(org.springframework.web.client.RestOperations) RequestEntity(org.springframework.http.RequestEntity) Test(org.junit.jupiter.api.Test)

Example 3 with OpaqueTokenIntrospector

use of org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector in project spring-security by spring-projects.

the class SpringOpaqueTokenIntrospectorTests method introspectWhenIntrospectionTokenReturnsMalformedScopeThenEmptyAuthorities.

// gh-7563
@Test
public void introspectWhenIntrospectionTokenReturnsMalformedScopeThenEmptyAuthorities() {
    RestOperations restOperations = mock(RestOperations.class);
    OpaqueTokenIntrospector introspectionClient = new SpringOpaqueTokenIntrospector(INTROSPECTION_URL, restOperations);
    given(restOperations.exchange(any(RequestEntity.class), eq(STRING_OBJECT_MAP))).willReturn(MALFORMED_SCOPE);
    OAuth2AuthenticatedPrincipal principal = introspectionClient.introspect("token");
    assertThat(principal.getAuthorities()).isEmpty();
    Collection<String> scope = principal.getAttribute("scope");
    assertThat(scope).containsExactly("read", "write", "dolphin");
}
Also used : OAuth2AuthenticatedPrincipal(org.springframework.security.oauth2.core.OAuth2AuthenticatedPrincipal) RestOperations(org.springframework.web.client.RestOperations) RequestEntity(org.springframework.http.RequestEntity) Test(org.junit.jupiter.api.Test)

Example 4 with OpaqueTokenIntrospector

use of org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector in project spring-security by spring-projects.

the class OAuth2ResourceServerConfigurerTests method getIntrospectionClientWhenConfiguredWithClientAndIntrospectionUriThenLastOneWins.

@Test
public void getIntrospectionClientWhenConfiguredWithClientAndIntrospectionUriThenLastOneWins() {
    ApplicationContext context = mock(ApplicationContext.class);
    OAuth2ResourceServerConfigurer.OpaqueTokenConfigurer opaqueTokenConfigurer = new OAuth2ResourceServerConfigurer(context).opaqueToken();
    OpaqueTokenIntrospector client = mock(OpaqueTokenIntrospector.class);
    opaqueTokenConfigurer.introspectionUri(INTROSPECTION_URI);
    opaqueTokenConfigurer.introspectionClientCredentials(CLIENT_ID, CLIENT_SECRET);
    opaqueTokenConfigurer.introspector(client);
    assertThat(opaqueTokenConfigurer.getIntrospector()).isEqualTo(client);
    opaqueTokenConfigurer = new OAuth2ResourceServerConfigurer(context).opaqueToken();
    opaqueTokenConfigurer.introspector(client);
    opaqueTokenConfigurer.introspectionUri(INTROSPECTION_URI);
    opaqueTokenConfigurer.introspectionClientCredentials(CLIENT_ID, CLIENT_SECRET);
    assertThat(opaqueTokenConfigurer.getIntrospector()).isNotSameAs(client);
}
Also used : OpaqueTokenIntrospector(org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector) NimbusOpaqueTokenIntrospector(org.springframework.security.oauth2.server.resource.introspection.NimbusOpaqueTokenIntrospector) GenericWebApplicationContext(org.springframework.web.context.support.GenericWebApplicationContext) ApplicationContext(org.springframework.context.ApplicationContext) GenericApplicationContext(org.springframework.context.support.GenericApplicationContext) Test(org.junit.jupiter.api.Test)

Example 5 with OpaqueTokenIntrospector

use of org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector in project spring-security by spring-projects.

the class SpringOpaqueTokenIntrospectorTests method introspectWhenActiveTokenThenOk.

@Test
public void introspectWhenActiveTokenThenOk() throws Exception {
    try (MockWebServer server = new MockWebServer()) {
        server.setDispatcher(requiresAuth(CLIENT_ID, CLIENT_SECRET, ACTIVE_RESPONSE));
        String introspectUri = server.url("/introspect").toString();
        OpaqueTokenIntrospector introspectionClient = new SpringOpaqueTokenIntrospector(introspectUri, CLIENT_ID, CLIENT_SECRET);
        OAuth2AuthenticatedPrincipal authority = introspectionClient.introspect("token");
        // @formatter:off
        assertThat(authority.getAttributes()).isNotNull().containsEntry(OAuth2TokenIntrospectionClaimNames.ACTIVE, true).containsEntry(OAuth2TokenIntrospectionClaimNames.AUD, Arrays.asList("https://protected.example.net/resource")).containsEntry(OAuth2TokenIntrospectionClaimNames.CLIENT_ID, "l238j323ds-23ij4").containsEntry(OAuth2TokenIntrospectionClaimNames.EXP, Instant.ofEpochSecond(1419356238)).containsEntry(OAuth2TokenIntrospectionClaimNames.ISS, "https://server.example.com/").containsEntry(OAuth2TokenIntrospectionClaimNames.SCOPE, Arrays.asList("read", "write", "dolphin")).containsEntry(OAuth2TokenIntrospectionClaimNames.SUB, "Z5O3upPC88QrAjx00dis").containsEntry(OAuth2TokenIntrospectionClaimNames.USERNAME, "jdoe").containsEntry("extension_field", "twenty-seven");
    // @formatter:on
    }
}
Also used : OAuth2AuthenticatedPrincipal(org.springframework.security.oauth2.core.OAuth2AuthenticatedPrincipal) MockWebServer(okhttp3.mockwebserver.MockWebServer) Test(org.junit.jupiter.api.Test)

Aggregations

Test (org.junit.jupiter.api.Test)10 OAuth2AuthenticatedPrincipal (org.springframework.security.oauth2.core.OAuth2AuthenticatedPrincipal)8 RequestEntity (org.springframework.http.RequestEntity)4 OpaqueTokenIntrospector (org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector)4 RestOperations (org.springframework.web.client.RestOperations)4 ParameterizedTest (org.junit.jupiter.params.ParameterizedTest)3 BearerTokenAuthenticationToken (org.springframework.security.oauth2.server.resource.BearerTokenAuthenticationToken)3 HashMap (java.util.HashMap)2 MockWebServer (okhttp3.mockwebserver.MockWebServer)2 Authentication (org.springframework.security.core.Authentication)2 URL (java.net.URL)1 JSONArray (net.minidev.json.JSONArray)1 JSONObject (net.minidev.json.JSONObject)1 ApplicationContext (org.springframework.context.ApplicationContext)1 GenericApplicationContext (org.springframework.context.support.GenericApplicationContext)1 AuthenticationServiceException (org.springframework.security.authentication.AuthenticationServiceException)1 NimbusOpaqueTokenIntrospector (org.springframework.security.oauth2.server.resource.introspection.NimbusOpaqueTokenIntrospector)1 OAuth2IntrospectionAuthenticatedPrincipal (org.springframework.security.oauth2.server.resource.introspection.OAuth2IntrospectionAuthenticatedPrincipal)1 OAuth2IntrospectionException (org.springframework.security.oauth2.server.resource.introspection.OAuth2IntrospectionException)1 GenericWebApplicationContext (org.springframework.web.context.support.GenericWebApplicationContext)1