don't use AuthorizationServerSettings as a runtime object

Author: frederikz

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/JwtClientAssertionDecoderFactory.java

@@ -47,7 +47,6 @@
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
 import org.springframework.security.oauth2.server.authorization.context.AuthorizationServerContext;
 import org.springframework.security.oauth2.server.authorization.context.AuthorizationServerContextHolder;
-import org.springframework.security.oauth2.server.authorization.settings.AuthorizationServerSettings;
 import org.springframework.util.Assert;
 import org.springframework.util.CollectionUtils;
 import org.springframework.util.StringUtils;
@@ -182,12 +181,11 @@ private static List<String> getAudience() {
 			return Collections.emptyList();
 		}
 
-		AuthorizationServerSettings authorizationServerSettings = authorizationServerContext.getAuthorizationServerSettings();
 		List<String> audience = new ArrayList<>();
 		audience.add(authorizationServerContext.getIssuer());
-		audience.add(asUrl(authorizationServerContext.getIssuer(), authorizationServerSettings.getTokenEndpoint()));
-		audience.add(asUrl(authorizationServerContext.getIssuer(), authorizationServerSettings.getTokenIntrospectionEndpoint()));
-		audience.add(asUrl(authorizationServerContext.getIssuer(), authorizationServerSettings.getTokenRevocationEndpoint()));
+		audience.add(asUrl(authorizationServerContext.getIssuer(), authorizationServerContext.getTokenEndpoint()));
+		audience.add(asUrl(authorizationServerContext.getIssuer(), authorizationServerContext.getTokenIntrospectionEndpoint()));
+		audience.add(asUrl(authorizationServerContext.getIssuer(), authorizationServerContext.getTokenRevocationEndpoint()));
 		return audience;
 	}
 

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2DeviceVerificationAuthenticationProvider.java

@@ -21,7 +21,6 @@
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-
 import org.springframework.security.authentication.AnonymousAuthenticationToken;
 import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.core.Authentication;
@@ -40,7 +39,6 @@
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
 import org.springframework.security.oauth2.server.authorization.context.AuthorizationServerContextHolder;
-import org.springframework.security.oauth2.server.authorization.settings.AuthorizationServerSettings;
 import org.springframework.util.Assert;
 
 /**
@@ -146,9 +144,7 @@ public Authentication authenticate(Authentication authentication) throws Authent
 			Set<String> currentAuthorizedScopes = currentAuthorizationConsent != null ?
 					currentAuthorizationConsent.getScopes() : null;
 
-			AuthorizationServerSettings authorizationServerSettings =
-					AuthorizationServerContextHolder.getContext().getAuthorizationServerSettings();
-			String deviceVerificationUri = authorizationServerSettings.getDeviceVerificationEndpoint();
+			String deviceVerificationUri = AuthorizationServerContextHolder.getContext().getDeviceVerificationEndpoint();
 
 			return new OAuth2DeviceAuthorizationConsentAuthenticationToken(deviceVerificationUri,
 					registeredClient.getClientId(), principal, deviceVerificationAuthentication.getUserCode(), state,

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OidcConfigurer.java

@@ -25,7 +25,6 @@
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.oauth2.server.authorization.context.AuthorizationServerContext;
 import org.springframework.security.oauth2.server.authorization.context.AuthorizationServerContextHolder;
-import org.springframework.security.oauth2.server.authorization.settings.AuthorizationServerSettings;
 import org.springframework.security.web.util.matcher.OrRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.web.util.UriComponentsBuilder;
@@ -130,10 +129,9 @@ void configure(HttpSecurity httpSecurity) {
 					.addDefaultProviderConfigurationCustomizer((builder) -> {
 						AuthorizationServerContext authorizationServerContext = AuthorizationServerContextHolder.getContext();
 						String issuer = authorizationServerContext.getIssuer();
-						AuthorizationServerSettings authorizationServerSettings = authorizationServerContext.getAuthorizationServerSettings();
 
 						String clientRegistrationEndpoint = UriComponentsBuilder.fromUriString(issuer)
-								.path(authorizationServerSettings.getOidcClientRegistrationEndpoint()).build().toUriString();
+								.path(authorizationServerContext.getOidcClientRegistrationEndpoint()).build().toUriString();
 
 						builder.clientRegistrationEndpoint(clientRegistrationEndpoint);
 					});

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/context/AuthorizationServerContext.java

@@ -35,10 +35,75 @@ public interface AuthorizationServerContext {
 	String getIssuer();
 
 	/**
-	 * Returns the {@link AuthorizationServerSettings}.
+	 * Returns the OAuth 2.0 Authorization endpoint.
 	 *
-	 * @return the {@link AuthorizationServerSettings}
+	 * @return the Authorization endpoint
 	 */
-	AuthorizationServerSettings getAuthorizationServerSettings();
+	String getAuthorizationEndpoint();
+
+	/**
+	 * Returns the OAuth 2.0 Device Authorization endpoint.
+	 *
+	 * @return the Device Authorization endpoint
+	 * @since 1.1
+	 */
+	String getDeviceAuthorizationEndpoint();
+
+	/**
+	 * Returns the OAuth 2.0 Device Verification endpoint.
+	 *
+	 * @return the Device Verification endpoint
+	 * @since 1.1
+	 */
+	String getDeviceVerificationEndpoint();
+
+	/**
+	 * Returns the OAuth 2.0 Token endpoint.
+	 *
+	 * @return the Token endpoint
+	 */
+	String getTokenEndpoint();
+
+	/**
+	 * Returns the JWK Set endpoint.
+	 *
+	 * @return the JWK Set endpoint
+	 */
+	String getJwkSetEndpoint();
+
+	/**
+	 * Returns the OAuth 2.0 Token Revocation endpoint.
+	 *
+	 * @return the Token Revocation endpoint
+	 */
+	String getTokenRevocationEndpoint();
+
+	/**
+	 * Returns the OAuth 2.0 Token Introspection endpoint.
+	 *
+	 * @return the Token Introspection endpoint
+	 */
+	String getTokenIntrospectionEndpoint();
+
+	/**
+	 * Returns the OpenID Connect 1.0 Client Registration endpoint.
+	 *
+	 * @return the OpenID Connect 1.0 Client Registration endpoint
+	 */
+	String getOidcClientRegistrationEndpoint();
+
+	/**
+	 * Returns the OpenID Connect 1.0 UserInfo endpoint.
+	 *
+	 * @return the OpenID Connect 1.0 UserInfo endpoint
+	 */
+	String getOidcUserInfoEndpoint();
+
+	/**
+	 * Returns the OpenID Connect 1.0 Logout endpoint.
+	 * 
+	 * @return the OpenID Connect 1.0 Logout endpoint
+	 */
+	String getOidcLogoutEndpoint();
 
 }

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/context/DefaultAuthorizationServerContextResolver.java

@@ -71,8 +71,53 @@ public String getIssuer() {
 		}
 
 		@Override
-		public AuthorizationServerSettings getAuthorizationServerSettings() {
-			return this.authorizationServerSettings;
+		public String getAuthorizationEndpoint() {
+			return authorizationServerSettings.getAuthorizationEndpoint();
+		}
+
+		@Override
+		public String getDeviceAuthorizationEndpoint() {
+			return authorizationServerSettings.getDeviceAuthorizationEndpoint();
+		}
+
+		@Override
+		public String getDeviceVerificationEndpoint() {
+			return authorizationServerSettings.getDeviceVerificationEndpoint();
+		}
+
+		@Override
+		public String getTokenEndpoint() {
+			return authorizationServerSettings.getTokenEndpoint();
+		}
+
+		@Override
+		public String getJwkSetEndpoint() {
+			return authorizationServerSettings.getJwkSetEndpoint();
+		}
+
+		@Override
+		public String getTokenRevocationEndpoint() {
+			return authorizationServerSettings.getTokenRevocationEndpoint();
+		}
+
+		@Override
+		public String getTokenIntrospectionEndpoint() {
+			return authorizationServerSettings.getTokenIntrospectionEndpoint();
+		}
+
+		@Override
+		public String getOidcClientRegistrationEndpoint() {
+			return authorizationServerSettings.getOidcClientRegistrationEndpoint();
+		}
+
+		@Override
+		public String getOidcUserInfoEndpoint() {
+			return authorizationServerSettings.getOidcUserInfoEndpoint();
+		}
+
+		@Override
+		public String getOidcLogoutEndpoint() {
+			return authorizationServerSettings.getOidcLogoutEndpoint();
 		}
 
 	}

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/oidc/authentication/RegisteredClientOidcClientRegistrationConverter.java

@@ -68,7 +68,7 @@ public OidcClientRegistration convert(RegisteredClient registeredClient) {
 
 		AuthorizationServerContext authorizationServerContext = AuthorizationServerContextHolder.getContext();
 		String registrationClientUri = UriComponentsBuilder.fromUriString(authorizationServerContext.getIssuer())
-				.path(authorizationServerContext.getAuthorizationServerSettings().getOidcClientRegistrationEndpoint())
+				.path(authorizationServerContext.getOidcClientRegistrationEndpoint())
 				.queryParam(OAuth2ParameterNames.CLIENT_ID, registeredClient.getClientId())
 				.toUriString();
 

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/oidc/web/OidcProviderConfigurationEndpointFilter.java

@@ -95,25 +95,24 @@ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse
 
 		AuthorizationServerContext authorizationServerContext = AuthorizationServerContextHolder.getContext();
 		String issuer = authorizationServerContext.getIssuer();
-		AuthorizationServerSettings authorizationServerSettings = authorizationServerContext.getAuthorizationServerSettings();
 
 		OidcProviderConfiguration.Builder providerConfiguration = OidcProviderConfiguration.builder()
 				.issuer(issuer)
-				.authorizationEndpoint(asUrl(issuer, authorizationServerSettings.getAuthorizationEndpoint()))
-				.deviceAuthorizationEndpoint(asUrl(issuer, authorizationServerSettings.getDeviceAuthorizationEndpoint()))
-				.tokenEndpoint(asUrl(issuer, authorizationServerSettings.getTokenEndpoint()))
+				.authorizationEndpoint(asUrl(issuer, authorizationServerContext.getAuthorizationEndpoint()))
+				.deviceAuthorizationEndpoint(asUrl(issuer, authorizationServerContext.getDeviceAuthorizationEndpoint()))
+				.tokenEndpoint(asUrl(issuer, authorizationServerContext.getTokenEndpoint()))
 				.tokenEndpointAuthenticationMethods(clientAuthenticationMethods())
-				.jwkSetUrl(asUrl(issuer, authorizationServerSettings.getJwkSetEndpoint()))
-				.userInfoEndpoint(asUrl(issuer, authorizationServerSettings.getOidcUserInfoEndpoint()))
-				.endSessionEndpoint(asUrl(issuer, authorizationServerSettings.getOidcLogoutEndpoint()))
+				.jwkSetUrl(asUrl(issuer, authorizationServerContext.getJwkSetEndpoint()))
+				.userInfoEndpoint(asUrl(issuer, authorizationServerContext.getOidcUserInfoEndpoint()))
+				.endSessionEndpoint(asUrl(issuer, authorizationServerContext.getOidcLogoutEndpoint()))
 				.responseType(OAuth2AuthorizationResponseType.CODE.getValue())
 				.grantType(AuthorizationGrantType.AUTHORIZATION_CODE.getValue())
 				.grantType(AuthorizationGrantType.CLIENT_CREDENTIALS.getValue())
 				.grantType(AuthorizationGrantType.REFRESH_TOKEN.getValue())
 				.grantType(AuthorizationGrantType.DEVICE_CODE.getValue())
-				.tokenRevocationEndpoint(asUrl(issuer, authorizationServerSettings.getTokenRevocationEndpoint()))
+				.tokenRevocationEndpoint(asUrl(issuer, authorizationServerContext.getTokenRevocationEndpoint()))
 				.tokenRevocationEndpointAuthenticationMethods(clientAuthenticationMethods())
-				.tokenIntrospectionEndpoint(asUrl(issuer, authorizationServerSettings.getTokenIntrospectionEndpoint()))
+				.tokenIntrospectionEndpoint(asUrl(issuer, authorizationServerContext.getTokenIntrospectionEndpoint()))
 				.tokenIntrospectionEndpointAuthenticationMethods(clientAuthenticationMethods())
 				.subjectType("public")
 				.idTokenSigningAlgorithm(SignatureAlgorithm.RS256.getName())

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationServerMetadataEndpointFilter.java

@@ -108,23 +108,22 @@ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse
 
 		AuthorizationServerContext authorizationServerContext = AuthorizationServerContextHolder.getContext();
 		String issuer = authorizationServerContext.getIssuer();
-		AuthorizationServerSettings authorizationServerSettings = authorizationServerContext.getAuthorizationServerSettings();
 
 		OAuth2AuthorizationServerMetadata.Builder authorizationServerMetadata = OAuth2AuthorizationServerMetadata.builder()
 				.issuer(issuer)
-				.authorizationEndpoint(asUrl(issuer, authorizationServerSettings.getAuthorizationEndpoint()))
-				.deviceAuthorizationEndpoint(asUrl(issuer, authorizationServerSettings.getDeviceAuthorizationEndpoint()))
-				.tokenEndpoint(asUrl(issuer, authorizationServerSettings.getTokenEndpoint()))
+				.authorizationEndpoint(asUrl(issuer, authorizationServerContext.getAuthorizationEndpoint()))
+				.deviceAuthorizationEndpoint(asUrl(issuer, authorizationServerContext.getDeviceAuthorizationEndpoint()))
+				.tokenEndpoint(asUrl(issuer, authorizationServerContext.getTokenEndpoint()))
 				.tokenEndpointAuthenticationMethods(clientAuthenticationMethods())
-				.jwkSetUrl(asUrl(issuer, authorizationServerSettings.getJwkSetEndpoint()))
+				.jwkSetUrl(asUrl(issuer, authorizationServerContext.getJwkSetEndpoint()))
 				.responseType(OAuth2AuthorizationResponseType.CODE.getValue())
 				.grantType(AuthorizationGrantType.AUTHORIZATION_CODE.getValue())
 				.grantType(AuthorizationGrantType.CLIENT_CREDENTIALS.getValue())
 				.grantType(AuthorizationGrantType.REFRESH_TOKEN.getValue())
 				.grantType(AuthorizationGrantType.DEVICE_CODE.getValue())
-				.tokenRevocationEndpoint(asUrl(issuer, authorizationServerSettings.getTokenRevocationEndpoint()))
+				.tokenRevocationEndpoint(asUrl(issuer, authorizationServerContext.getTokenRevocationEndpoint()))
 				.tokenRevocationEndpointAuthenticationMethods(clientAuthenticationMethods())
-				.tokenIntrospectionEndpoint(asUrl(issuer, authorizationServerSettings.getTokenIntrospectionEndpoint()))
+				.tokenIntrospectionEndpoint(asUrl(issuer, authorizationServerContext.getTokenIntrospectionEndpoint()))
 				.tokenIntrospectionEndpointAuthenticationMethods(clientAuthenticationMethods())
 				.codeChallengeMethod("S256");
 

oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/context/TestAuthorizationServerContext.java

@@ -36,12 +36,57 @@ public TestAuthorizationServerContext(AuthorizationServerSettings authorizationS
 	public String getIssuer() {
 		return this.issuerSupplier != null ?
 				this.issuerSupplier.get() :
-				getAuthorizationServerSettings().getIssuer();
+					authorizationServerSettings.getIssuer();
 	}
 
 	@Override
-	public AuthorizationServerSettings getAuthorizationServerSettings() {
-		return this.authorizationServerSettings;
+	public String getAuthorizationEndpoint() {
+		return authorizationServerSettings.getAuthorizationEndpoint();
+	}
+
+	@Override
+	public String getDeviceAuthorizationEndpoint() {
+		return authorizationServerSettings.getDeviceAuthorizationEndpoint();
+	}
+
+	@Override
+	public String getDeviceVerificationEndpoint() {
+		return authorizationServerSettings.getDeviceAuthorizationEndpoint();
+	}
+
+	@Override
+	public String getTokenEndpoint() {
+		return authorizationServerSettings.getTokenEndpoint();
+	}
+
+	@Override
+	public String getJwkSetEndpoint() {
+		return authorizationServerSettings.getJwkSetEndpoint();
+	}
+
+	@Override
+	public String getTokenRevocationEndpoint() {
+		return authorizationServerSettings.getTokenRevocationEndpoint();
+	}
+
+	@Override
+	public String getTokenIntrospectionEndpoint() {
+		return authorizationServerSettings.getTokenIntrospectionEndpoint();
+	}
+
+	@Override
+	public String getOidcClientRegistrationEndpoint() {
+		return authorizationServerSettings.getOidcClientRegistrationEndpoint();
+	}
+
+	@Override
+	public String getOidcUserInfoEndpoint() {
+		return authorizationServerSettings.getOidcUserInfoEndpoint();
+	}
+
+	@Override
+	public String getOidcLogoutEndpoint() {
+		return authorizationServerSettings.getOidcLogoutEndpoint();
 	}
 
 }

oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/oidc/authentication/OidcClientConfigurationAuthenticationProviderTests.java

@@ -371,7 +371,7 @@ public void authenticateWhenValidAccessTokenThenReturnClientRegistration() {
 
 		AuthorizationServerContext authorizationServerContext = AuthorizationServerContextHolder.getContext();
 		String expectedRegistrationClientUrl = UriComponentsBuilder.fromUriString(authorizationServerContext.getIssuer())
-				.path(authorizationServerContext.getAuthorizationServerSettings().getOidcClientRegistrationEndpoint())
+				.path(authorizationServerContext.getOidcClientRegistrationEndpoint())
 				.queryParam(OAuth2ParameterNames.CLIENT_ID, registeredClient.getClientId()).toUriString();
 
 		assertThat(clientRegistrationResult.getRegistrationClientUrl().toString()).isEqualTo(expectedRegistrationClientUrl);