Add consent AuthenticationProvider

Issue spring-projectsgh-44

Author: Steve Riesenberg

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/InMemoryOAuth2AuthorizationService.java

@@ -159,6 +159,10 @@ private static boolean hasToken(OAuth2Authorization authorization, String token,
 			return matchesAccessToken(authorization, token);
 		} else if (OAuth2TokenType.REFRESH_TOKEN.equals(tokenType)) {
 			return matchesRefreshToken(authorization, token);
+		} else if (OAuth2DeviceCode.TOKEN_TYPE.equals(tokenType)) {
+			return matchesDeviceCode(authorization, token);
+		} else if (OAuth2UserCode.TOKEN_TYPE.equals(tokenType)) {
+			return matchesUserCode(authorization, token);
 		}
 		return false;
 	}
@@ -185,6 +189,18 @@ private static boolean matchesRefreshToken(OAuth2Authorization authorization, St
 		return refreshToken != null && refreshToken.getToken().getTokenValue().equals(token);
 	}
 
+	private static boolean matchesDeviceCode(OAuth2Authorization authorization, String token) {
+		OAuth2Authorization.Token<OAuth2DeviceCode> deviceCode =
+				authorization.getToken(OAuth2DeviceCode.class);
+		return deviceCode != null && deviceCode.getToken().getTokenValue().equals(token);
+	}
+
+	private static boolean matchesUserCode(OAuth2Authorization authorization, String token) {
+		OAuth2Authorization.Token<OAuth2UserCode> userCode =
+				authorization.getToken(OAuth2UserCode.class);
+		return userCode != null && userCode.getToken().getTokenValue().equals(token);
+	}
+
 	private static final class MaxSizeHashMap<K, V> extends LinkedHashMap<K, V> {
 		private final int maxSize;
 

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2DeviceAuthorizationConsentAuthenticationToken.java

@@ -0,0 +1,69 @@
+/*
+ * Copyright 2020-2023 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.oauth2.server.authorization.authentication;
+
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.Set;
+
+import org.springframework.lang.Nullable;
+import org.springframework.security.core.Authentication;
+
+/**
+ * An {@link Authentication} implementation for the Authorization Consent used
+ * in the OAuth 2.0 Device Authorization Grant.
+ *
+ * @author Steve Riesenberg
+ * @since 1.1
+ */
+public class OAuth2DeviceAuthorizationConsentAuthenticationToken extends OAuth2AuthorizationConsentAuthenticationToken {
+
+	private final String userCode;
+
+	private final Set<String> requestedScopes;
+
+	/**
+	 * Constructs an {@code OAuth2DeviceAuthorizationConsentAuthenticationToken} using the provided parameters.
+	 *
+	 * @param authorizationUri the authorization URI
+	 * @param clientId the client identifier
+	 * @param principal the {@code Principal} (Resource Owner)
+	 * @param userCode the user code associated with the device authorization request
+	 * @param state the state
+	 * @param requestedScopes the requested scope(s)
+	 * @param authorizedScopes the authorized scope(s)
+	 * @param additionalParameters the additional parameters
+	 */
+	public OAuth2DeviceAuthorizationConsentAuthenticationToken(String authorizationUri, String clientId,
+			Authentication principal, String userCode, String state, @Nullable Set<String> requestedScopes,
+			@Nullable Set<String> authorizedScopes, @Nullable Map<String, Object> additionalParameters) {
+		super(authorizationUri, clientId, principal, state, authorizedScopes, additionalParameters);
+		this.userCode = userCode;
+		this.requestedScopes = Collections.unmodifiableSet(
+				requestedScopes != null ?
+						new HashSet<>(requestedScopes) :
+						Collections.emptySet());
+	}
+
+	public String getUserCode() {
+		return this.userCode;
+	}
+
+	public Set<String> getRequestedScopes() {
+		return this.requestedScopes;
+	}
+}

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2DeviceAuthorizationRequestAuthenticationProvider.java

@@ -64,7 +64,7 @@ public final class OAuth2DeviceAuthorizationRequestAuthenticationProvider implem
 
 	private static final String ERROR_URI = "https://datatracker.ietf.org/doc/html/rfc6749#section-5.2";
 
-	private static final String DEFAULT_VERIFICATION_URI = "/activate";
+	private static final String DEFAULT_VERIFICATION_URI = "/oauth2/device_verification"; // TODO
 
 	private static final StringKeyGenerator DEFAULT_STATE_GENERATOR =
 			new Base64StringKeyGenerator(Base64.getUrlEncoder());
@@ -118,7 +118,6 @@ public Authentication authenticate(Authentication authentication) throws Authent
 			this.logger.trace("Validated device authorization request parameters");
 		}
 
-		// TODO: Do we need to capture authorizationUri?
 		OAuth2AuthorizationRequest authorizationRequest = OAuth2AuthorizationRequest.authorizationCode()
 				.authorizationUri(deviceAuthorizationRequestAuthentication.getAuthorizationUri())
 				.clientId(registeredClient.getClientId())
@@ -187,7 +186,7 @@ public Authentication authenticate(Authentication authentication) throws Authent
 		UriComponentsBuilder uriComponentsBuilder = UriComponentsBuilder.fromHttpUrl(issuerUri)
 				.path(this.verificationUri);
 		String verificationUri = uriComponentsBuilder.build().toUriString();
-		String verificationUriComplete = uriComponentsBuilder.queryParam("code", userCode.getTokenValue()).build()
+		String verificationUriComplete = uriComponentsBuilder.queryParam("user_code", userCode.getTokenValue()).build()
 				.toUriString();
 
 		if (this.logger.isTraceEnabled()) {

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2DeviceAuthorizationRequestAuthenticationToken.java

@@ -22,6 +22,7 @@
 import org.springframework.lang.NonNull;
 import org.springframework.security.authentication.AbstractAuthenticationToken;
 import org.springframework.security.core.Authentication;
+import org.springframework.security.oauth2.server.authorization.util.SpringAuthorizationServerVersion;
 import org.springframework.util.Assert;
 import org.springframework.util.CollectionUtils;
 
@@ -34,6 +35,7 @@
  * @see OAuth2DeviceAuthorizationRequestAuthenticationProvider
  */
 public final class OAuth2DeviceAuthorizationRequestAuthenticationToken extends AbstractAuthenticationToken {
+	private static final long serialVersionUID = SpringAuthorizationServerVersion.SERIAL_VERSION_UID;
 	private String clientId;
 	private Authentication principal;
 	private String authorizationUri;

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2DeviceVerificationAuthenticationProvider.java

@@ -0,0 +1,150 @@
+/*
+ * Copyright 2002-2023 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.oauth2.server.authorization.authentication;
+
+import java.util.Set;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+import org.springframework.security.authentication.AnonymousAuthenticationToken;
+import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
+import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
+import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
+import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
+import org.springframework.security.oauth2.core.oidc.OidcScopes;
+import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
+import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationConsent;
+import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationConsentService;
+import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
+import org.springframework.security.oauth2.server.authorization.OAuth2UserCode;
+import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
+import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
+import org.springframework.util.Assert;
+
+/**
+ * @author Steve Riesenberg
+ * @since 1.1
+ */
+public final class OAuth2DeviceVerificationAuthenticationProvider implements AuthenticationProvider {
+
+	private final Log logger = LogFactory.getLog(getClass());
+	private final RegisteredClientRepository registeredClientRepository;
+	private final OAuth2AuthorizationService authorizationService;
+	private final OAuth2AuthorizationConsentService authorizationConsentService;
+
+	public OAuth2DeviceVerificationAuthenticationProvider(
+			RegisteredClientRepository registeredClientRepository,
+			OAuth2AuthorizationService authorizationService,
+			OAuth2AuthorizationConsentService authorizationConsentService) {
+		Assert.notNull(registeredClientRepository, "registeredClientRepository cannot be null");
+		Assert.notNull(authorizationService, "authorizationService cannot be null");
+		Assert.notNull(authorizationConsentService, "authorizationConsentService cannot be null");
+		this.registeredClientRepository = registeredClientRepository;
+		this.authorizationService = authorizationService;
+		this.authorizationConsentService = authorizationConsentService;
+	}
+
+	@Override
+	public Authentication authenticate(Authentication authentication) throws AuthenticationException {
+		OAuth2DeviceVerificationAuthenticationToken deviceVerificationAuthentication =
+				(OAuth2DeviceVerificationAuthenticationToken) authentication;
+
+		String userCode = deviceVerificationAuthentication.getUserCode();
+
+		OAuth2Authorization authorization = this.authorizationService.findByToken(
+				userCode, OAuth2UserCode.TOKEN_TYPE);
+		if (authorization == null) {
+			throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_GRANT);
+		}
+
+		if (this.logger.isTraceEnabled()) {
+			this.logger.trace("Retrieved authorization with user code");
+		}
+
+		RegisteredClient registeredClient = this.registeredClientRepository.findById(
+				authorization.getRegisteredClientId());
+		Assert.notNull(registeredClient, "registeredClient cannot be null");
+
+		if (this.logger.isTraceEnabled()) {
+			this.logger.trace("Retrieved registered client");
+		}
+
+		Authentication principal = (Authentication) deviceVerificationAuthentication.getPrincipal();
+		if (!isPrincipalAuthenticated(principal)) {
+			if (this.logger.isTraceEnabled()) {
+				this.logger.trace("Did not authenticate device authorization request since principal not authenticated");
+			}
+			// Return the authorization request as-is where isAuthenticated() is false
+			return deviceVerificationAuthentication;
+		}
+
+		OAuth2AuthorizationRequest authorizationRequest = authorization.getAttribute(OAuth2AuthorizationRequest.class.getName());
+		Assert.notNull(authorizationRequest, "authorizationRequest cannot be null");
+
+		OAuth2AuthorizationConsent currentAuthorizationConsent = this.authorizationConsentService.findById(
+				registeredClient.getId(), principal.getName());
+
+		Set<String> currentAuthorizedScopes = currentAuthorizationConsent != null ?
+				currentAuthorizationConsent.getScopes() : null;
+
+		if (requireAuthorizationConsent(registeredClient, authorizationRequest, currentAuthorizationConsent)) {
+			String state = authorization.getAttribute(OAuth2ParameterNames.STATE);
+
+			return new OAuth2DeviceAuthorizationConsentAuthenticationToken(
+					authorizationRequest.getAuthorizationUri(), registeredClient.getClientId(), principal, userCode,
+					state, authorizationRequest.getScopes(), currentAuthorizedScopes, null);
+		}
+
+		return null;
+	}
+
+	private static boolean requireAuthorizationConsent(RegisteredClient registeredClient,
+			OAuth2AuthorizationRequest authorizationRequest, OAuth2AuthorizationConsent authorizationConsent) {
+
+		if (!registeredClient.getClientSettings().isRequireAuthorizationConsent()) {
+			return false;
+		}
+		// 'openid' scope does not require consent
+		if (authorizationRequest.getScopes().contains(OidcScopes.OPENID) &&
+				authorizationRequest.getScopes().size() == 1) {
+			return false;
+		}
+
+		if (authorizationConsent != null &&
+				authorizationConsent.getScopes().containsAll(authorizationRequest.getScopes())) {
+			return false;
+		}
+
+		return true;
+	}
+
+	private static boolean isPrincipalAuthenticated(Authentication principal) {
+		return principal != null &&
+				!AnonymousAuthenticationToken.class.isAssignableFrom(principal.getClass()) &&
+				principal.isAuthenticated();
+	}
+
+	@Override
+	public boolean supports(Class<?> authentication) {
+		return OAuth2DeviceVerificationAuthenticationToken.class.isAssignableFrom(authentication);
+	}
+
+}