Skip to content

Commit 2890864

Browse files
committed
1 parent c5fcbbd commit 2890864

File tree

2 files changed

+61
-59
lines changed

2 files changed

+61
-59
lines changed

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeAuthenticationProvider.java

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -192,8 +192,9 @@ public Authentication authenticate(Authentication authentication) throws Authent
192192
jwtAccessToken.getExpiresAt(), authorizedScopes);
193193

194194
OAuth2RefreshToken refreshToken = null;
195-
if (registeredClient.getAuthorizationGrantTypes().contains(AuthorizationGrantType.REFRESH_TOKEN)
196-
&& !registeredClient.getClientAuthenticationMethods().contains(ClientAuthenticationMethod.NONE)) {
195+
if (registeredClient.getAuthorizationGrantTypes().contains(AuthorizationGrantType.REFRESH_TOKEN) &&
196+
// Do not issue refresh token to public client
197+
!clientPrincipal.getClientAuthenticationMethod().equals(ClientAuthenticationMethod.NONE)) {
197198
refreshToken = generateRefreshToken(registeredClient.getTokenSettings().getRefreshTokenTimeToLive());
198199
}
199200

oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeAuthenticationProviderTests.java

Lines changed: 58 additions & 57 deletions
Original file line numberDiff line numberDiff line change
@@ -166,63 +166,6 @@ public void authenticateWhenInvalidCodeThenThrowOAuth2AuthenticationException()
166166
.isEqualTo(OAuth2ErrorCodes.INVALID_GRANT);
167167
}
168168

169-
// gh-296
170-
@Test
171-
public void authenticateWhenPublicClientThenRefreshTokenIsNotIssued() {
172-
RegisteredClient registeredClient = TestRegisteredClients.registeredPublicClient()
173-
.authorizationGrantType(AuthorizationGrantType.REFRESH_TOKEN)
174-
.build();
175-
OAuth2Authorization authorization = TestOAuth2Authorizations.authorization(registeredClient).build();
176-
when(this.authorizationService.findByToken(eq(AUTHORIZATION_CODE), eq(AUTHORIZATION_CODE_TOKEN_TYPE)))
177-
.thenReturn(authorization);
178-
179-
OAuth2ClientAuthenticationToken clientPrincipal = new OAuth2ClientAuthenticationToken(registeredClient);
180-
OAuth2AuthorizationRequest authorizationRequest = authorization.getAttribute(
181-
OAuth2AuthorizationRequest.class.getName());
182-
OAuth2AuthorizationCodeAuthenticationToken authentication =
183-
new OAuth2AuthorizationCodeAuthenticationToken(AUTHORIZATION_CODE, clientPrincipal, authorizationRequest.getRedirectUri(), null);
184-
185-
when(this.jwtEncoder.encode(any(), any())).thenReturn(createJwt());
186-
187-
OAuth2AccessTokenAuthenticationToken accessTokenAuthentication =
188-
(OAuth2AccessTokenAuthenticationToken) this.authenticationProvider.authenticate(authentication);
189-
190-
ArgumentCaptor<JwtEncodingContext> jwtEncodingContextCaptor = ArgumentCaptor.forClass(JwtEncodingContext.class);
191-
verify(this.jwtCustomizer).customize(jwtEncodingContextCaptor.capture());
192-
JwtEncodingContext jwtEncodingContext = jwtEncodingContextCaptor.getValue();
193-
assertThat(jwtEncodingContext.getRegisteredClient()).isEqualTo(registeredClient);
194-
assertThat(jwtEncodingContext.<Authentication>getPrincipal()).isEqualTo(authorization.getAttribute(Principal.class.getName()));
195-
assertThat(jwtEncodingContext.getAuthorization()).isEqualTo(authorization);
196-
assertThat(jwtEncodingContext.getAuthorizedScopes())
197-
.isEqualTo(authorization.getAttribute(OAuth2Authorization.AUTHORIZED_SCOPE_ATTRIBUTE_NAME));
198-
assertThat(jwtEncodingContext.getTokenType()).isEqualTo(OAuth2TokenType.ACCESS_TOKEN);
199-
assertThat(jwtEncodingContext.getAuthorizationGrantType()).isEqualTo(AuthorizationGrantType.AUTHORIZATION_CODE);
200-
assertThat(jwtEncodingContext.<OAuth2AuthorizationGrantAuthenticationToken>getAuthorizationGrant()).isEqualTo(authentication);
201-
assertThat(jwtEncodingContext.getHeaders()).isNotNull();
202-
assertThat(jwtEncodingContext.getClaims()).isNotNull();
203-
204-
ArgumentCaptor<JwtClaimsSet> jwtClaimsSetCaptor = ArgumentCaptor.forClass(JwtClaimsSet.class);
205-
verify(this.jwtEncoder).encode(any(), jwtClaimsSetCaptor.capture());
206-
JwtClaimsSet jwtClaimsSet = jwtClaimsSetCaptor.getValue();
207-
208-
Set<String> scopes = jwtClaimsSet.getClaim(OAuth2ParameterNames.SCOPE);
209-
assertThat(scopes).isEqualTo(authorization.getAttribute(OAuth2Authorization.AUTHORIZED_SCOPE_ATTRIBUTE_NAME));
210-
assertThat(jwtClaimsSet.getSubject()).isEqualTo(authorization.getPrincipalName());
211-
212-
ArgumentCaptor<OAuth2Authorization> authorizationCaptor = ArgumentCaptor.forClass(OAuth2Authorization.class);
213-
verify(this.authorizationService).save(authorizationCaptor.capture());
214-
OAuth2Authorization updatedAuthorization = authorizationCaptor.getValue();
215-
216-
assertThat(accessTokenAuthentication.getRegisteredClient().getId()).isEqualTo(updatedAuthorization.getRegisteredClientId());
217-
assertThat(accessTokenAuthentication.getPrincipal()).isEqualTo(clientPrincipal);
218-
assertThat(accessTokenAuthentication.getAccessToken()).isEqualTo(updatedAuthorization.getAccessToken().getToken());
219-
assertThat(accessTokenAuthentication.getAccessToken().getScopes())
220-
.isEqualTo(authorization.getAttribute(OAuth2Authorization.AUTHORIZED_SCOPE_ATTRIBUTE_NAME));
221-
assertThat(accessTokenAuthentication.getRefreshToken()).isNull();
222-
OAuth2Authorization.Token<OAuth2AuthorizationCode> authorizationCode = updatedAuthorization.getToken(OAuth2AuthorizationCode.class);
223-
assertThat(authorizationCode.isInvalidated()).isTrue();
224-
}
225-
226169
@Test
227170
public void authenticateWhenCodeIssuedToAnotherClientThenThrowOAuth2AuthenticationException() {
228171
OAuth2Authorization authorization = TestOAuth2Authorizations.authorization().build();
@@ -446,6 +389,64 @@ public void authenticateWhenValidCodeAndAuthenticationRequestThenReturnIdToken()
446389
.containsExactly(entry(OidcParameterNames.ID_TOKEN, idToken.getToken().getTokenValue()));
447390
}
448391

392+
// gh-296
393+
@Test
394+
public void authenticateWhenPublicClientThenRefreshTokenNotIssued() {
395+
RegisteredClient registeredClient = TestRegisteredClients.registeredPublicClient()
396+
.authorizationGrantType(AuthorizationGrantType.REFRESH_TOKEN)
397+
.build();
398+
OAuth2Authorization authorization = TestOAuth2Authorizations.authorization(registeredClient).build();
399+
when(this.authorizationService.findByToken(eq(AUTHORIZATION_CODE), eq(AUTHORIZATION_CODE_TOKEN_TYPE)))
400+
.thenReturn(authorization);
401+
402+
OAuth2ClientAuthenticationToken clientPrincipal = new OAuth2ClientAuthenticationToken(
403+
registeredClient, ClientAuthenticationMethod.NONE, null);
404+
OAuth2AuthorizationRequest authorizationRequest = authorization.getAttribute(
405+
OAuth2AuthorizationRequest.class.getName());
406+
OAuth2AuthorizationCodeAuthenticationToken authentication =
407+
new OAuth2AuthorizationCodeAuthenticationToken(AUTHORIZATION_CODE, clientPrincipal, authorizationRequest.getRedirectUri(), null);
408+
409+
when(this.jwtEncoder.encode(any(), any())).thenReturn(createJwt());
410+
411+
OAuth2AccessTokenAuthenticationToken accessTokenAuthentication =
412+
(OAuth2AccessTokenAuthenticationToken) this.authenticationProvider.authenticate(authentication);
413+
414+
ArgumentCaptor<JwtEncodingContext> jwtEncodingContextCaptor = ArgumentCaptor.forClass(JwtEncodingContext.class);
415+
verify(this.jwtCustomizer).customize(jwtEncodingContextCaptor.capture());
416+
JwtEncodingContext jwtEncodingContext = jwtEncodingContextCaptor.getValue();
417+
assertThat(jwtEncodingContext.getRegisteredClient()).isEqualTo(registeredClient);
418+
assertThat(jwtEncodingContext.<Authentication>getPrincipal()).isEqualTo(authorization.getAttribute(Principal.class.getName()));
419+
assertThat(jwtEncodingContext.getAuthorization()).isEqualTo(authorization);
420+
assertThat(jwtEncodingContext.getAuthorizedScopes())
421+
.isEqualTo(authorization.getAttribute(OAuth2Authorization.AUTHORIZED_SCOPE_ATTRIBUTE_NAME));
422+
assertThat(jwtEncodingContext.getTokenType()).isEqualTo(OAuth2TokenType.ACCESS_TOKEN);
423+
assertThat(jwtEncodingContext.getAuthorizationGrantType()).isEqualTo(AuthorizationGrantType.AUTHORIZATION_CODE);
424+
assertThat(jwtEncodingContext.<OAuth2AuthorizationGrantAuthenticationToken>getAuthorizationGrant()).isEqualTo(authentication);
425+
assertThat(jwtEncodingContext.getHeaders()).isNotNull();
426+
assertThat(jwtEncodingContext.getClaims()).isNotNull();
427+
428+
ArgumentCaptor<JwtClaimsSet> jwtClaimsSetCaptor = ArgumentCaptor.forClass(JwtClaimsSet.class);
429+
verify(this.jwtEncoder).encode(any(), jwtClaimsSetCaptor.capture());
430+
JwtClaimsSet jwtClaimsSet = jwtClaimsSetCaptor.getValue();
431+
432+
Set<String> scopes = jwtClaimsSet.getClaim(OAuth2ParameterNames.SCOPE);
433+
assertThat(scopes).isEqualTo(authorization.getAttribute(OAuth2Authorization.AUTHORIZED_SCOPE_ATTRIBUTE_NAME));
434+
assertThat(jwtClaimsSet.getSubject()).isEqualTo(authorization.getPrincipalName());
435+
436+
ArgumentCaptor<OAuth2Authorization> authorizationCaptor = ArgumentCaptor.forClass(OAuth2Authorization.class);
437+
verify(this.authorizationService).save(authorizationCaptor.capture());
438+
OAuth2Authorization updatedAuthorization = authorizationCaptor.getValue();
439+
440+
assertThat(accessTokenAuthentication.getRegisteredClient().getId()).isEqualTo(updatedAuthorization.getRegisteredClientId());
441+
assertThat(accessTokenAuthentication.getPrincipal()).isEqualTo(clientPrincipal);
442+
assertThat(accessTokenAuthentication.getAccessToken()).isEqualTo(updatedAuthorization.getAccessToken().getToken());
443+
assertThat(accessTokenAuthentication.getAccessToken().getScopes())
444+
.isEqualTo(authorization.getAttribute(OAuth2Authorization.AUTHORIZED_SCOPE_ATTRIBUTE_NAME));
445+
assertThat(accessTokenAuthentication.getRefreshToken()).isNull();
446+
OAuth2Authorization.Token<OAuth2AuthorizationCode> authorizationCode = updatedAuthorization.getToken(OAuth2AuthorizationCode.class);
447+
assertThat(authorizationCode.isInvalidated()).isTrue();
448+
}
449+
449450
@Test
450451
public void authenticateWhenTokenTimeToLiveConfiguredThenTokenExpirySet() {
451452
Duration accessTokenTTL = Duration.ofHours(2);

0 commit comments

Comments
 (0)