Implement OpenID Provider Configuration endpoint

- See https://openid.net/specs/openid-connect-discovery-1_0.html
  sections 3 and 4.
- We introduce here a "ProviderSettings" construct to configure
  the authorization server, starting with endpoint paths (e.g.
  token endpoint, jwk set endpont, ...)

Author: Kehrlann

oauth2-authorization-server/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2AuthorizationServerConfigurer.java

@@ -34,11 +34,13 @@
 import org.springframework.security.oauth2.server.authorization.authentication.OAuth2RefreshTokenAuthenticationProvider;
 import org.springframework.security.oauth2.server.authorization.authentication.OAuth2TokenRevocationAuthenticationProvider;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
+import org.springframework.security.oauth2.server.authorization.config.ProviderSettings;
 import org.springframework.security.oauth2.server.authorization.web.JwkSetEndpointFilter;
 import org.springframework.security.oauth2.server.authorization.web.OAuth2AuthorizationEndpointFilter;
 import org.springframework.security.oauth2.server.authorization.web.OAuth2ClientAuthenticationFilter;
 import org.springframework.security.oauth2.server.authorization.web.OAuth2TokenEndpointFilter;
 import org.springframework.security.oauth2.server.authorization.web.OAuth2TokenRevocationEndpointFilter;
+import org.springframework.security.oauth2.server.authorization.web.OidcProviderConfigurationFilter;
 import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
 import org.springframework.security.web.authentication.HttpStatusEntryPoint;
 import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter;
@@ -80,6 +82,8 @@ public final class OAuth2AuthorizationServerConfigurer<B extends HttpSecurityBui
 			OAuth2TokenRevocationEndpointFilter.DEFAULT_TOKEN_REVOCATION_ENDPOINT_URI, HttpMethod.POST.name());
 	private final RequestMatcher jwkSetEndpointMatcher = new AntPathRequestMatcher(
 			JwkSetEndpointFilter.DEFAULT_JWK_SET_ENDPOINT_URI, HttpMethod.GET.name());
+	private final RequestMatcher oidcProviderMetadataEndpointMatcher = new AntPathRequestMatcher(
+			"/.well-known/openid-configuration", HttpMethod.GET.name());
 
 	/**
 	 * Sets the repository of registered clients.
@@ -117,14 +121,27 @@ public OAuth2AuthorizationServerConfigurer<B> keyManager(KeyManager keyManager)
 		return this;
 	}
 
+	/**
+	 * Sets the provider settings.
+	 *
+	 * @param providerSettings the provider settings
+	 * @return the {@link OAuth2AuthorizationServerConfigurer} for further configuration
+	 */
+	public OAuth2AuthorizationServerConfigurer<B> providerSettings(ProviderSettings providerSettings) {
+		Assert.notNull(providerSettings, "providerSettings cannot be null");
+		this.getBuilder().setSharedObject(ProviderSettings.class, providerSettings);
+		return this;
+	}
+
 	/**
 	 * Returns a {@code List} of {@link RequestMatcher}'s for the authorization server endpoints.
 	 *
 	 * @return a {@code List} of {@link RequestMatcher}'s for the authorization server endpoints
 	 */
 	public List<RequestMatcher> getEndpointMatchers() {
+		// TODO: use ProviderSettings instead
 		return Arrays.asList(this.authorizationEndpointMatcher, this.tokenEndpointMatcher,
-				this.tokenRevocationEndpointMatcher, this.jwkSetEndpointMatcher);
+				this.tokenRevocationEndpointMatcher, this.jwkSetEndpointMatcher, oidcProviderMetadataEndpointMatcher);
 	}
 
 	@Override
@@ -172,7 +189,12 @@ public void init(B builder) {
 
 	@Override
 	public void configure(B builder) {
-		JwkSetEndpointFilter jwkSetEndpointFilter = new JwkSetEndpointFilter(getKeyManager(builder));
+		OidcProviderConfigurationFilter oidcProviderConfigurationFilter = new OidcProviderConfigurationFilter(getProviderSettings(builder));
+		builder.addFilterBefore(postProcess(oidcProviderConfigurationFilter), AbstractPreAuthenticatedProcessingFilter.class);
+
+		JwkSetEndpointFilter jwkSetEndpointFilter = new JwkSetEndpointFilter(
+				getKeyManager(builder),
+				getProviderSettings(builder).jwkSetEndpoint());
 		builder.addFilterBefore(postProcess(jwkSetEndpointFilter), AbstractPreAuthenticatedProcessingFilter.class);
 
 		AuthenticationManager authenticationManager = builder.getSharedObject(AuthenticationManager.class);
@@ -186,18 +208,21 @@ public void configure(B builder) {
 		OAuth2AuthorizationEndpointFilter authorizationEndpointFilter =
 				new OAuth2AuthorizationEndpointFilter(
 						getRegisteredClientRepository(builder),
-						getAuthorizationService(builder));
+						getAuthorizationService(builder),
+						getProviderSettings(builder).authorizationEndpoint());
 		builder.addFilterBefore(postProcess(authorizationEndpointFilter), AbstractPreAuthenticatedProcessingFilter.class);
 
 		OAuth2TokenEndpointFilter tokenEndpointFilter =
 				new OAuth2TokenEndpointFilter(
 						authenticationManager,
-						getAuthorizationService(builder));
+						getAuthorizationService(builder),
+						getProviderSettings(builder).tokenEndpoint());
 		builder.addFilterAfter(postProcess(tokenEndpointFilter), FilterSecurityInterceptor.class);
 
 		OAuth2TokenRevocationEndpointFilter tokenRevocationEndpointFilter =
 				new OAuth2TokenRevocationEndpointFilter(
-						authenticationManager);
+						authenticationManager,
+						getProviderSettings(builder).tokenRevocationEndpoint());
 		builder.addFilterAfter(postProcess(tokenRevocationEndpointFilter), OAuth2TokenEndpointFilter.class);
 	}
 
@@ -249,4 +274,17 @@ private static <B extends HttpSecurityBuilder<B>> KeyManager getKeyManager(B bui
 	private static <B extends HttpSecurityBuilder<B>> KeyManager getKeyManagerBean(B builder) {
 		return builder.getSharedObject(ApplicationContext.class).getBean(KeyManager.class);
 	}
+
+	private static <B extends HttpSecurityBuilder<B>> ProviderSettings getProviderSettings(B builder) {
+		ProviderSettings providerSettings = builder.getSharedObject(ProviderSettings.class);
+		if (providerSettings == null) {
+			providerSettings = getProviderSettingsBean(builder);
+			builder.setSharedObject(ProviderSettings.class, providerSettings);
+		}
+		return providerSettings;
+	}
+
+	private static <B extends HttpSecurityBuilder<B>> ProviderSettings getProviderSettingsBean(B builder) {
+		return builder.getSharedObject(ApplicationContext.class).getBean(ProviderSettings.class);
+	}
 }

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/core/http/converter/OidcProviderConfigurationHttpMessageConverter.java

@@ -0,0 +1,169 @@
+/*
+ * Copyright 2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.oauth2.core.http.converter;
+
+import org.springframework.core.ParameterizedTypeReference;
+import org.springframework.core.convert.TypeDescriptor;
+import org.springframework.core.convert.converter.Converter;
+import org.springframework.http.HttpInputMessage;
+import org.springframework.http.HttpOutputMessage;
+import org.springframework.http.MediaType;
+import org.springframework.http.converter.AbstractHttpMessageConverter;
+import org.springframework.http.converter.GenericHttpMessageConverter;
+import org.springframework.http.converter.HttpMessageConverter;
+import org.springframework.http.converter.HttpMessageNotReadableException;
+import org.springframework.http.converter.HttpMessageNotWritableException;
+import org.springframework.security.oauth2.core.converter.ClaimConversionService;
+import org.springframework.security.oauth2.core.converter.ClaimTypeConverter;
+import org.springframework.security.oauth2.core.oidc.OidcProviderMetadataClaimNames;
+import org.springframework.security.oauth2.core.oidc.endpoint.OidcProviderConfiguration;
+import org.springframework.util.Assert;
+
+import java.io.IOException;
+import java.net.URI;
+import java.util.Collection;
+import java.util.HashMap;
+import java.util.Map;
+
+
+/**
+ * A {@link HttpMessageConverter} for an {@link OidcProviderConfiguration OpenID Provider Configuration Metadata}.
+ *
+ * @author Daniel Garnier-Moiroux
+ * @since 0.1.0
+ * @see AbstractHttpMessageConverter
+ * @see OidcProviderConfiguration
+ */
+public class OidcProviderConfigurationHttpMessageConverter
+		extends AbstractHttpMessageConverter<OidcProviderConfiguration> {
+	private static final ParameterizedTypeReference<Map<String, Object>> STRING_OBJECT_MAP =
+			new ParameterizedTypeReference<Map<String, Object>>() {
+			};
+
+	private final GenericHttpMessageConverter<Object> jsonMessageConverter = HttpMessageConverters.getJsonMessageConverter();
+
+	private Converter<Map<String, Object>, OidcProviderConfiguration> oidcProviderConfigurationConverter = new ProviderConfigurationConverter();
+	private Converter<OidcProviderConfiguration, Map<String, Object>> oidcProviderConfigurationParametersConverter = OidcProviderConfiguration::getClaims;
+
+	public OidcProviderConfigurationHttpMessageConverter() {
+		super(MediaType.APPLICATION_JSON, new MediaType("application", "*+json"));
+	}
+
+	@Override
+	protected boolean supports(Class<?> clazz) {
+		return OidcProviderConfiguration.class.isAssignableFrom(clazz);
+	}
+
+	@Override
+	@SuppressWarnings("unchecked")
+	protected OidcProviderConfiguration readInternal(Class<? extends OidcProviderConfiguration> clazz, HttpInputMessage inputMessage)
+			throws HttpMessageNotReadableException {
+		try {
+			Map<String, Object> providerConfigurationParameters = (Map<String, Object>) this.jsonMessageConverter.read(STRING_OBJECT_MAP.getType(), null, inputMessage);
+			return this.oidcProviderConfigurationConverter.convert(providerConfigurationParameters);
+		} catch (Exception ex) {
+			throw new HttpMessageNotReadableException(
+					"An error occurred reading the OpenID Provider Configuration: " + ex.getMessage(), ex, inputMessage);
+		}
+	}
+
+	@Override
+	protected void writeInternal(OidcProviderConfiguration providerConfiguration, HttpOutputMessage outputMessage) throws IOException, HttpMessageNotWritableException {
+		try {
+			Map<String, Object> providerConfigurationResponseParameters =
+					this.oidcProviderConfigurationParametersConverter.convert(providerConfiguration);
+			this.jsonMessageConverter.write(
+					providerConfigurationResponseParameters,
+					STRING_OBJECT_MAP.getType(),
+					MediaType.APPLICATION_JSON,
+					outputMessage
+			);
+		} catch (Exception ex) {
+			throw new HttpMessageNotWritableException(
+					"An error occurred writing the OpenID Provider Configuration: " + ex.getMessage(), ex);
+		}
+	}
+
+	/**
+	 * Sets the {@link Converter} used for converting the {@link OidcProviderConfiguration} to a
+	 * {@code Map} representation of the OpenID Provider Configuration.
+	 *
+	 * @param providerConfigurationParametersConverter the {@link Converter} used for converting to a
+	 *                                                 {@code Map} representation of the OpenID Provider Configuration
+	 */
+	public final void setProviderConfigurationParametersConverter(
+			Converter<OidcProviderConfiguration, Map<String, Object>> providerConfigurationParametersConverter) {
+		Assert.notNull(providerConfigurationParametersConverter, "providerConfigurationParametersConverter cannot be null");
+		this.oidcProviderConfigurationParametersConverter = providerConfigurationParametersConverter;
+	}
+
+	/**
+	 * Sets the {@link Converter} used for converting the OpenID Provider Configuration parameters
+	 * to a {@link OidcProviderConfiguration}.
+	 *
+	 * @param providerConfigurationConverter the {@link Converter} used for converting to a
+	 *                                       {@link OidcProviderConfiguration}
+	 */
+	public void setProviderConfigurationConverter(Converter<Map<String, Object>, OidcProviderConfiguration> providerConfigurationConverter) {
+		Assert.notNull(providerConfigurationConverter, "providerConfigurationConverter cannot be null");
+		this.oidcProviderConfigurationConverter = providerConfigurationConverter;
+	}
+
+	private static final class ProviderConfigurationConverter implements Converter<Map<String, Object>, OidcProviderConfiguration> {
+		private static final ClaimConversionService CLAIM_CONVERSION_SERVICE = ClaimConversionService.getSharedInstance();
+		private static final TypeDescriptor OBJECT_TYPE_DESCRIPTOR = TypeDescriptor.valueOf(Object.class);
+		private static final TypeDescriptor STRING_TYPE_DESCRIPTOR = TypeDescriptor.valueOf(String.class);
+		private final ClaimTypeConverter claimTypeConverter;
+
+		ProviderConfigurationConverter() {
+			Map<String, Converter<Object, ?>> claimNameToConverter = new HashMap<>();
+			Converter<Object, ?> collectionStringConverter = getConverter(
+					TypeDescriptor.collection(Collection.class, STRING_TYPE_DESCRIPTOR));
+			claimNameToConverter.put(OidcProviderMetadataClaimNames.ISSUER, ProviderConfigurationConverter::convertUri);
+			claimNameToConverter.put(OidcProviderMetadataClaimNames.AUTHORIZATION_ENDPOINT, ProviderConfigurationConverter::convertUri);
+			claimNameToConverter.put(OidcProviderMetadataClaimNames.TOKEN_ENDPOINT, ProviderConfigurationConverter::convertUri);
+			claimNameToConverter.put(OidcProviderMetadataClaimNames.JWKS_URI, ProviderConfigurationConverter::convertUri);
+			claimNameToConverter.put(OidcProviderMetadataClaimNames.GRANT_TYPES_SUPPORTED, collectionStringConverter);
+			claimNameToConverter.put(OidcProviderMetadataClaimNames.TOKEN_ENDPOINT_AUTH_METHODS_SUPPORTED, collectionStringConverter);
+			claimNameToConverter.put(OidcProviderMetadataClaimNames.SUBJECT_TYPES_SUPPORTED, collectionStringConverter);
+			claimNameToConverter.put(OidcProviderMetadataClaimNames.SCOPES_SUPPORTED, collectionStringConverter);
+			claimNameToConverter.put(OidcProviderMetadataClaimNames.RESPONSE_TYPES_SUPPORTED, collectionStringConverter);
+			this.claimTypeConverter = new ClaimTypeConverter(claimNameToConverter);
+		}
+
+		@Override
+		public OidcProviderConfiguration convert(Map<String, Object> source) {
+			Map<String, Object> parsedClaims = claimTypeConverter.convert(source);
+			return new OidcProviderConfiguration.Builder(parsedClaims).build();
+		}
+
+		private static URI convertUri(Object source) {
+			if (source == null) {
+				return null;
+			}
+			try {
+				return new URI(source.toString());
+			}
+			catch (Exception ex) {
+				throw new IllegalStateException("Could not coerce " + source + " into a URI String", ex);
+			}
+		}
+
+		private static Converter<Object, ?> getConverter(TypeDescriptor targetDescriptor) {
+			return (source) -> CLAIM_CONVERSION_SERVICE.convert(source, OBJECT_TYPE_DESCRIPTOR, targetDescriptor);
+		}
+	}
+}

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/core/oidc/OidcProviderMetadataClaimAccessor.java

@@ -0,0 +1,119 @@
+/*
+ * Copyright 2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.oauth2.core.oidc;
+
+
+import org.springframework.security.oauth2.core.ClaimAccessor;
+import org.springframework.security.oauth2.core.oidc.endpoint.OidcProviderConfiguration;
+
+import java.net.URL;
+import java.util.List;
+
+/**
+ * A {@link ClaimAccessor} for the "claims" that can be returned
+ * in the OpenID Provider Configuration Response.
+ *
+ * @author Daniel Garnier-Moiroux
+ * @since 0.1.0
+ * @see ClaimAccessor
+ * @see OidcProviderMetadataClaimNames
+ * @see OidcProviderConfiguration
+ * @see <a target="_blank" href="https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata">OpenID Connect Discovery 1.0</a>
+ */
+public interface OidcProviderMetadataClaimAccessor extends ClaimAccessor {
+
+	/**
+	 * Returns the Issuer identifier {@code (issuer)}.
+	 *
+	 * @return the Issuer identifier
+	 */
+	default URL getIssuer() {
+		return this.getClaimAsURL(OidcProviderMetadataClaimNames.ISSUER);
+	}
+
+	/**
+	 * Returns the URL of the OAuth 2.0 Authorization Endpoint {@code (authorization_endpoint)}.
+	 *
+	 * @return the URL of the OAuth 2.0 Authorization Endpoint
+	 */
+	default URL getAuthorizationEndpoint() {
+		return this.getClaimAsURL(OidcProviderMetadataClaimNames.AUTHORIZATION_ENDPOINT);
+	}
+
+	/**
+	 * Returns the URL of the OAuth 2.0 Token Endpoint {@code (token_endpoint)}.
+	 *
+	 * @return the URL of the OAuth 2.0 Token Endpoint
+	 */
+	default URL getTokenEndpoint() {
+		return this.getClaimAsURL(OidcProviderMetadataClaimNames.TOKEN_ENDPOINT);
+	}
+
+	/**
+	 * Returns the client authentication methods supported by the OAuth 2.0 Token Endpoint {@code (token_endpoint_auth_methods_supported)}.
+	 *
+	 * @return the client authentication methods supported by the OAuth 2.0 Token Endpoint
+	 */
+	default List<String> getTokenEndpointAuthenticationMethods() {
+		return this.getClaimAsStringList(OidcProviderMetadataClaimNames.TOKEN_ENDPOINT_AUTH_METHODS_SUPPORTED);
+	}
+
+	/**
+	 * Returns the URL of the JSON Web Key Set {@code (jwks_uri)}.
+	 *
+	 * @return the URL of the JSON Web Key Set
+	 */
+	default URL getJwksUri() {
+		return this.getClaimAsURL(OidcProviderMetadataClaimNames.JWKS_URI);
+	}
+
+	/**
+	 * Returns the OAuth 2.0 {@code response_type} values supported {@code (response_types_supported)}.
+	 *
+	 * @return the OAuth 2.0 {@code response_type} values supported
+	 */
+	default List<String> getResponseTypes() {
+		return this.getClaimAsStringList(OidcProviderMetadataClaimNames.RESPONSE_TYPES_SUPPORTED);
+	}
+
+	/**
+	 * Returns the OAuth 2.0 {@code grant_type} values supported {@code (grant_types_supported)}.
+	 *
+	 * @return the OAuth 2.0 {@code grant_type} values supported
+	 */
+	default List<String> getGrantTypes() {
+		return this.getClaimAsStringList(OidcProviderMetadataClaimNames.GRANT_TYPES_SUPPORTED);
+	}
+
+	/**
+	 * Returns the Subject Identifier types supported {@code (subject_types_supported)}.
+	 *
+	 * @return the Subject Identifier types supported
+	 */
+	default List<String> getSubjectTypes() {
+		return this.getClaimAsStringList(OidcProviderMetadataClaimNames.SUBJECT_TYPES_SUPPORTED);
+	}
+
+	/**
+	 * Returns the OAuth 2.0 {@code scope} values supported {@code (scopes_supported)}.
+	 *
+	 * @return the OAuth 2.0 {@code scope} values supported
+	 */
+	default List<String> getScopes() {
+		return this.getClaimAsStringList(OidcProviderMetadataClaimNames.SCOPES_SUPPORTED);
+	}
+
+}