Add user consent page

Closes spring-projectsgh-42

Author: jgrandja

oauth2-authorization-server/src/main/java/org/springframework/security/config/annotation/web/configuration/OAuth2AuthorizationServerSecurity.java

@@ -17,11 +17,8 @@
 
 import org.springframework.core.Ordered;
 import org.springframework.core.annotation.Order;
-import org.springframework.http.HttpMethod;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configurers.oauth2.server.authorization.OAuth2AuthorizationServerConfigurer;
-import org.springframework.security.oauth2.server.authorization.web.OAuth2TokenEndpointFilter;
-import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 import org.springframework.security.web.util.matcher.OrRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 
@@ -41,22 +38,17 @@ public class OAuth2AuthorizationServerSecurity extends WebSecurityConfigurerAdap
 	protected void configure(HttpSecurity http) throws Exception {
 		OAuth2AuthorizationServerConfigurer<HttpSecurity> authorizationServerConfigurer =
 				new OAuth2AuthorizationServerConfigurer<>();
+		RequestMatcher[] endpointMatchers = authorizationServerConfigurer
+				.getEndpointMatchers().toArray(new RequestMatcher[0]);
 
 		http
-			.requestMatcher(new OrRequestMatcher(authorizationServerConfigurer.getEndpointMatchers()))
+			.requestMatcher(new OrRequestMatcher(endpointMatchers))
 			.authorizeRequests(authorizeRequests ->
-				authorizeRequests
-						.anyRequest().authenticated()
+					authorizeRequests.anyRequest().authenticated()
 			)
 			.formLogin(withDefaults())
-			.csrf(csrf -> csrf.ignoringRequestMatchers(tokenEndpointMatcher()))
+			.csrf(csrf -> csrf.ignoringRequestMatchers(endpointMatchers))
 			.apply(authorizationServerConfigurer);
 	}
 	// @formatter:on
-
-	private static RequestMatcher tokenEndpointMatcher() {
-		return new AntPathRequestMatcher(
-				OAuth2TokenEndpointFilter.DEFAULT_TOKEN_ENDPOINT_URI,
-				HttpMethod.POST.name());
-	}
 }

oauth2-authorization-server/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2AuthorizationServerConfigurer.java

@@ -40,6 +40,7 @@
 import org.springframework.security.web.authentication.HttpStatusEntryPoint;
 import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+import org.springframework.security.web.util.matcher.OrRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.util.Assert;
 import org.springframework.util.StringUtils;
@@ -63,8 +64,13 @@
 public final class OAuth2AuthorizationServerConfigurer<B extends HttpSecurityBuilder<B>>
 		extends AbstractHttpConfigurer<OAuth2AuthorizationServerConfigurer<B>, B> {
 
-	private final RequestMatcher authorizationEndpointMatcher = new AntPathRequestMatcher(
-			OAuth2AuthorizationEndpointFilter.DEFAULT_AUTHORIZATION_ENDPOINT_URI, HttpMethod.GET.name());
+	private final RequestMatcher authorizationEndpointMatcher = new OrRequestMatcher(
+			new AntPathRequestMatcher(
+					OAuth2AuthorizationEndpointFilter.DEFAULT_AUTHORIZATION_ENDPOINT_URI,
+					HttpMethod.GET.name()),
+			new AntPathRequestMatcher(
+					OAuth2AuthorizationEndpointFilter.DEFAULT_AUTHORIZATION_ENDPOINT_URI,
+					HttpMethod.POST.name()));
 	private final RequestMatcher tokenEndpointMatcher = new AntPathRequestMatcher(
 			OAuth2TokenEndpointFilter.DEFAULT_TOKEN_ENDPOINT_URI, HttpMethod.POST.name());
 	private final RequestMatcher jwkSetEndpointMatcher = new AntPathRequestMatcher(

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/InMemoryOAuth2AuthorizationService.java

@@ -43,6 +43,14 @@ public void save(OAuth2Authorization authorization) {
 		this.authorizations.put(authorizationId, authorization);
 	}
 
+	@Override
+	public void remove(OAuth2Authorization authorization) {
+		Assert.notNull(authorization, "authorization cannot be null");
+		OAuth2AuthorizationId authorizationId = new OAuth2AuthorizationId(
+				authorization.getRegisteredClientId(), authorization.getPrincipalName());
+		this.authorizations.remove(authorizationId, authorization);
+	}
+
 	@Override
 	public OAuth2Authorization findByToken(String token, @Nullable TokenType tokenType) {
 		Assert.hasText(token, "token cannot be empty");
@@ -53,7 +61,9 @@ public OAuth2Authorization findByToken(String token, @Nullable TokenType tokenTy
 	}
 
 	private boolean hasToken(OAuth2Authorization authorization, String token, TokenType tokenType) {
-		if (TokenType.AUTHORIZATION_CODE.equals(tokenType)) {
+		if (OAuth2AuthorizationAttributeNames.STATE.equals(tokenType.getValue())) {
+			return token.equals(authorization.getAttribute(OAuth2AuthorizationAttributeNames.STATE));
+		} else if (TokenType.AUTHORIZATION_CODE.equals(tokenType)) {
 			return token.equals(authorization.getAttribute(OAuth2AuthorizationAttributeNames.CODE));
 		} else if (TokenType.ACCESS_TOKEN.equals(tokenType)) {
 			return authorization.getAccessToken() != null &&

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/OAuth2AuthorizationAttributeNames.java

@@ -30,6 +30,11 @@
  */
 public interface OAuth2AuthorizationAttributeNames {
 
+	/**
+	 * The name of the attribute used for correlating the user consent request/response.
+	 */
+	String STATE = OAuth2Authorization.class.getName().concat(".STATE");
+
 	/**
 	 * The name of the attribute used for the {@link OAuth2ParameterNames#CODE} parameter.
 	 */
@@ -40,6 +45,11 @@ public interface OAuth2AuthorizationAttributeNames {
 	 */
 	String AUTHORIZATION_REQUEST = OAuth2Authorization.class.getName().concat(".AUTHORIZATION_REQUEST");
 
+	/**
+	 * The name of the attribute used for the authorized scope(s).
+	 */
+	String AUTHORIZED_SCOPES = OAuth2Authorization.class.getName().concat(".AUTHORIZED_SCOPES");
+
 	/**
 	 * The name of the attribute used for the attributes/claims of the {@link OAuth2AccessToken}.
 	 */

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/OAuth2AuthorizationService.java

@@ -34,6 +34,13 @@ public interface OAuth2AuthorizationService {
 	 */
 	void save(OAuth2Authorization authorization);
 
+	/**
+	 * Removes the {@link OAuth2Authorization}.
+	 *
+	 * @param authorization the {@link OAuth2Authorization}
+	 */
+	void remove(OAuth2Authorization authorization);
+
 	/**
 	 * Returns the {@link OAuth2Authorization} containing the provided {@code token},
 	 * or {@code null} if not found.

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeAuthenticationProvider.java

@@ -44,6 +44,7 @@
 import java.time.Instant;
 import java.time.temporal.ChronoUnit;
 import java.util.Collections;
+import java.util.Set;
 
 /**
  * An {@link AuthenticationProvider} implementation for the OAuth 2.0 Authorization Code Grant.
@@ -123,6 +124,7 @@ public Authentication authenticate(Authentication authentication) throws Authent
 
 		Instant issuedAt = Instant.now();
 		Instant expiresAt = issuedAt.plus(1, ChronoUnit.HOURS);		// TODO Allow configuration for access token time-to-live
+		Set<String> authorizedScopes = authorization.getAttribute(OAuth2AuthorizationAttributeNames.AUTHORIZED_SCOPES);
 
 		JwtClaimsSet jwtClaimsSet = JwtClaimsSet.withClaims()
 				.issuer(issuer)
@@ -131,7 +133,7 @@ public Authentication authenticate(Authentication authentication) throws Authent
 				.issuedAt(issuedAt)
 				.expiresAt(expiresAt)
 				.notBefore(issuedAt)
-				.claim(OAuth2ParameterNames.SCOPE, authorizationRequest.getScopes())
+				.claim(OAuth2ParameterNames.SCOPE, authorizedScopes)
 				.build();
 
 		Jwt jwt = this.jwtEncoder.encode(joseHeader, jwtClaimsSet);

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/ClientSettings.java

@@ -28,6 +28,7 @@
 public class ClientSettings extends Settings {
 	private static final String CLIENT_SETTING_BASE = "spring.security.oauth2.authorization-server.client.";
 	public static final String REQUIRE_PROOF_KEY = CLIENT_SETTING_BASE.concat("require-proof-key");
+	public static final String REQUIRE_USER_CONSENT = CLIENT_SETTING_BASE.concat("require-user-consent");
 
 	/**
 	 * Constructs a {@code ClientSettings}.
@@ -67,9 +68,32 @@ public ClientSettings requireProofKey(boolean requireProofKey) {
 		return this;
 	}
 
+	/**
+	 * Returns {@code true} if the user's consent is required when the client requests access.
+	 * The default is {@code false}.
+	 *
+	 * @return {@code true} if the user's consent is required when the client requests access, {@code false} otherwise
+	 */
+	public boolean requireUserConsent() {
+		return setting(REQUIRE_USER_CONSENT);
+	}
+
+	/**
+	 * Set to {@code true} if the user's consent is required when the client requests access.
+	 * This applies to all interactive flows (e.g. {@code authorization_code} and {@code device_code}).
+	 *
+	 * @param requireUserConsent {@code true} if the user's consent is required when the client requests access, {@code false} otherwise
+	 * @return the {@link ClientSettings}
+	 */
+	public ClientSettings requireUserConsent(boolean requireUserConsent) {
+		setting(REQUIRE_USER_CONSENT, requireUserConsent);
+		return this;
+	}
+
 	protected static Map<String, Object> defaultSettings() {
 		Map<String, Object> settings = new HashMap<>();
 		settings.put(REQUIRE_PROOF_KEY, false);
+		settings.put(REQUIRE_USER_CONSENT, false);
 		return settings;
 	}
 }