Added token endpoint implementation

Author: kratostaine

core/src/main/java/org/springframework/security/oauth2/server/authorization/OAuth2Authorization.java

@@ -21,11 +21,15 @@
 
 /**
  * @author Joe Grandja
+ * @author Madhu Bhat
  */
 public class OAuth2Authorization {
 	private String registeredClientId;
 	private String principalName;
 	private OAuth2AccessToken accessToken;
 	private Map<String, Object> attributes;
 
+	public final void setAccessToken(OAuth2AccessToken accessToken) {
+		this.accessToken = accessToken;
+	}
 }

core/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AccessTokenAuthenticationToken.java

@@ -25,6 +25,7 @@
 
 /**
  * @author Joe Grandja
+ * @author Madhu Bhat
  */
 public class OAuth2AccessTokenAuthenticationToken extends AbstractAuthenticationToken {
 	private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
@@ -49,4 +50,8 @@ public Object getCredentials() {
 	public Object getPrincipal() {
 		return null;
 	}
+
+	public OAuth2AccessToken getAccessToken() {
+		return accessToken;
+	}
 }

core/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeAuthenticationToken.java

@@ -24,6 +24,7 @@
 
 /**
  * @author Joe Grandja
+ * @author Madhu Bhat
  */
 public class OAuth2AuthorizationCodeAuthenticationToken extends AbstractAuthenticationToken {
 	private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
@@ -57,4 +58,8 @@ public Object getCredentials() {
 	public Object getPrincipal() {
 		return null;
 	}
+
+	public String getCode() {
+		return code;
+	}
 }

core/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2ClientAuthenticationManager.java

@@ -0,0 +1,52 @@
+/*
+ * Copyright 2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.oauth2.server.authorization.authentication;
+
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+
+/**
+ * @author Madhu Bhat
+ */
+public class OAuth2ClientAuthenticationManager implements AuthenticationManager {
+
+	private AuthenticationProvider authenticationProvider;
+
+	/**
+	 * Constructs an {@code OAuth2ClientAuthenticationManager} using
+	 * {@code OAuth2AuthorizationCodeAuthenticationProvider} as the default {@code AuthenticationProvider}
+	 * implementation.
+	 */
+	public OAuth2ClientAuthenticationManager() {
+		this.authenticationProvider = new OAuth2AuthorizationCodeAuthenticationProvider();
+	}
+
+	/**
+	 * Constructs an {@code OAuth2ClientAuthenticationManager} using the provided parameters.
+	 *
+	 * @param authenticationProvider the authorization service implementation
+	 */
+	public OAuth2ClientAuthenticationManager(AuthenticationProvider authenticationProvider) {
+		this.authenticationProvider = authenticationProvider;
+	}
+
+	@Override
+	public Authentication authenticate(Authentication authentication) throws AuthenticationException {
+		return this.authenticationProvider.authenticate(authentication);
+	}
+}

core/src/main/java/org/springframework/security/oauth2/server/authorization/converter/OAuth2AuthorizationCodeAuthenticationTokenConverter.java

@@ -0,0 +1,39 @@
+/*
+ * Copyright 2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.oauth2.server.authorization.converter;
+
+import org.springframework.core.convert.converter.Converter;
+import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
+import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeAuthenticationToken;
+
+import javax.servlet.http.HttpServletRequest;
+
+/**
+ * Converts from a {@link HttpServletRequest} to an {@link OAuth2AuthorizationCodeAuthenticationToken} that can be authenticated. The
+ * converter does not validate the request but only performs a conversion.
+ * @author Madhu Bhat
+ */
+public class OAuth2AuthorizationCodeAuthenticationTokenConverter implements Converter<HttpServletRequest, OAuth2AuthorizationCodeAuthenticationToken> {
+
+	@Override
+	public OAuth2AuthorizationCodeAuthenticationToken convert(HttpServletRequest request) {
+		return new OAuth2AuthorizationCodeAuthenticationToken(
+				request.getParameter(OAuth2ParameterNames.CODE),
+				request.getParameter(OAuth2ParameterNames.CLIENT_ID),
+				request.getParameter(OAuth2ParameterNames.REDIRECT_URI)
+		);
+	}
+}

core/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2TokenEndpointFilter.java

@@ -16,9 +16,24 @@
 package org.springframework.security.oauth2.server.authorization.web;
 
 import org.springframework.core.convert.converter.Converter;
+import org.springframework.http.HttpMethod;
 import org.springframework.security.authentication.AuthenticationManager;
-import org.springframework.security.core.Authentication;
+import org.springframework.security.oauth2.core.AuthorizationGrantType;
+import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
+import org.springframework.security.oauth2.core.OAuth2Error;
+import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
+import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
+import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
 import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
+import org.springframework.security.oauth2.server.authorization.TokenType;
+import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AccessTokenAuthenticationToken;
+import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeAuthenticationToken;
+import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationManager;
+import org.springframework.security.oauth2.server.authorization.converter.OAuth2AuthorizationCodeAuthenticationTokenConverter;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+import org.springframework.security.web.util.matcher.RequestMatcher;
+import org.springframework.util.Assert;
+import org.springframework.util.StringUtils;
 import org.springframework.web.filter.OncePerRequestFilter;
 
 import javax.servlet.FilterChain;
@@ -29,16 +44,53 @@
 
 /**
  * @author Joe Grandja
+ * @author Madhu Bhat
  */
 public class OAuth2TokenEndpointFilter extends OncePerRequestFilter {
-	private Converter<HttpServletRequest, Authentication> authorizationGrantConverter;
+	private final String DEFAULT_TOKEN_URI = "/oauth2/token";
+	private Converter<HttpServletRequest, OAuth2AuthorizationCodeAuthenticationToken> authorizationGrantConverter;
 	private AuthenticationManager authenticationManager;
 	private OAuth2AuthorizationService authorizationService;
+	private RequestMatcher uriMatcher;
+
+	/**
+	 * Constructs an {@code OAuth2TokenEndpointFilter} using the provided parameter.
+	 *
+	 * @param authorizationService the authorization service implementation
+	 */
+	public OAuth2TokenEndpointFilter(OAuth2AuthorizationService authorizationService) {
+		Assert.notNull(authorizationService, "authorizationService cannot be null");
+		this.authorizationGrantConverter = new OAuth2AuthorizationCodeAuthenticationTokenConverter();
+		this.authenticationManager = new OAuth2ClientAuthenticationManager();
+		this.uriMatcher = new AntPathRequestMatcher(DEFAULT_TOKEN_URI, HttpMethod.POST.name());
+		this.authorizationService = authorizationService;
+	}
 
 	@Override
 	protected void doFilterInternal(HttpServletRequest request,
 			HttpServletResponse response, FilterChain filterChain)
 			throws ServletException, IOException {
+		if (uriMatcher.matches(request)) {
+			if (isValidAccessTokenRequest(request)) {
+				OAuth2AuthorizationCodeAuthenticationToken authCodeAuthToken = authorizationGrantConverter.convert(request);
+				OAuth2AccessTokenAuthenticationToken accessTokenAuthenticationToken =
+						(OAuth2AccessTokenAuthenticationToken) authenticationManager.authenticate(authCodeAuthToken);
+				OAuth2Authorization authorization = authorizationService
+						.findByTokenAndTokenType(authCodeAuthToken.getCode(), TokenType.AUTHORIZATION_CODE);
+				authorization.setAccessToken(accessTokenAuthenticationToken.getAccessToken());
+				authorizationService.save(authorization);
+			}
+		}
+		filterChain.doFilter(request, response);
+	}
 
+	private boolean isValidAccessTokenRequest(HttpServletRequest request) {
+		if (!AuthorizationGrantType.AUTHORIZATION_CODE.getValue().equals(request.getParameter(OAuth2ParameterNames.GRANT_TYPE))) {
+			throw new OAuth2AuthenticationException(new OAuth2Error(OAuth2ErrorCodes.UNSUPPORTED_GRANT_TYPE));
+		} else if (StringUtils.isEmpty(request.getParameter(OAuth2ParameterNames.CODE))
+				|| StringUtils.isEmpty(request.getParameter(OAuth2ParameterNames.REDIRECT_URI))) {
+			throw new OAuth2AuthenticationException(new OAuth2Error(OAuth2ErrorCodes.INVALID_REQUEST));
+		}
+		return true;
 	}
 }