Prototype to remember user consent decisions

Author: joshuatcasey

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/consent/InMemoryUserConsentRepository.java

@@ -0,0 +1,77 @@
+/*
+ * Copyright 2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.oauth2.server.authorization.consent;
+
+import org.springframework.util.Assert;
+
+import java.util.HashSet;
+import java.util.Optional;
+import java.util.Set;
+import java.util.function.Function;
+import java.util.stream.Collectors;
+
+public class InMemoryUserConsentRepository implements UserConsentRepository {
+
+	private final Set<UserConsentRecord> userConsentRecords = new HashSet<>();
+
+	@Override
+	public Set<UserConsentRecord> findBySubjectAndClientId(final String subject, final String clientId) {
+		Assert.hasText(subject, "subject must have text");
+		Assert.hasText(clientId, "clientId must have text");
+
+		return this.userConsentRecords
+				.stream()
+				.filter(record -> subject.equals(record.getSubject()))
+				.filter(record -> clientId.equals(record.getClientId()))
+				.filter(UserConsentRecord::isValid)
+				.collect(Collectors.toSet());
+	}
+
+	@Override
+	public void saveAll(String subject, String clientId, Set<String> consentedScopes) {
+		Assert.hasText(subject, "subject must have text");
+		Assert.hasText(clientId, "clientId must have text");
+		Assert.notNull(consentedScopes, "consentedScopes must not be null");
+
+		Function<String, UserConsentRecord> mapScopeToConsent = (scope) -> new UserConsentRecord(
+				subject,
+				clientId,
+				scope);
+
+		// remove any older consent records
+		this.revokeAll(subject, clientId, consentedScopes);
+		this.userConsentRecords.addAll(consentedScopes.stream().map(mapScopeToConsent).collect(Collectors.toSet()));
+	}
+
+	@Override
+	public void revokeAll(String subject, String clientId, Set<String> revokedScopes) {
+		Assert.hasText(subject, "subject must have text");
+		Assert.hasText(clientId, "clientId must have text");
+		Assert.notNull(revokedScopes, "revokedScopes must not be null");
+
+		revokedScopes.forEach(revokedScope -> this.revokeSingle(subject, clientId, revokedScope));
+	}
+
+	private void revokeSingle(String subject, String clientId, String revokedScope) {
+		this.userConsentRecords
+				.stream()
+				.filter(record -> subject.equals(record.getSubject()))
+				.filter(record -> clientId.equals(record.getClientId()))
+				.filter(record -> revokedScope.equals(record.getAuthorizedScope()))
+				.findFirst()
+				.ifPresent(this.userConsentRecords::remove);
+	}
+}

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/consent/UserConsentRecord.java

@@ -0,0 +1,75 @@
+/*
+ * Copyright 2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.oauth2.server.authorization.consent;
+
+import java.time.Duration;
+import java.time.Instant;
+import java.util.Objects;
+
+public class UserConsentRecord {
+
+	private final String subject;
+	private final String clientId;
+	private final String authorizedScope;
+	private final Instant consentGrantedTime;
+	private final Duration lifetime;
+
+	public UserConsentRecord(
+			final String subject,
+			final String clientId,
+			final String authorizedScope) {
+		this.subject = subject;
+		this.clientId = clientId;
+		this.authorizedScope = authorizedScope;
+		// TODO: consentGrantedTime should be passed in so that it truly reflects when the consent was granted
+		this.consentGrantedTime = Instant.now();
+		// TODO:
+		this.lifetime = Duration.ofDays(7);
+	}
+
+	public String getSubject() {
+		return this.subject;
+	}
+
+	public String getClientId() {
+		return this.clientId;
+	}
+
+	public String getAuthorizedScope() {
+		return this.authorizedScope;
+	}
+
+	public boolean isValid() {
+		return Instant.now().isBefore(this.consentGrantedTime.plus(this.lifetime));
+	}
+
+	@Override
+	public boolean equals(Object o) {
+		if (this == o) return true;
+		if (!(o instanceof UserConsentRecord)) return false;
+		UserConsentRecord that = (UserConsentRecord) o;
+		return Objects.equals(subject, that.subject)
+				&& Objects.equals(clientId, that.clientId)
+				&& Objects.equals(authorizedScope, that.authorizedScope)
+				&& Objects.equals(consentGrantedTime, that.consentGrantedTime)
+				&& Objects.equals(lifetime, that.lifetime);
+	}
+
+	@Override
+	public int hashCode() {
+		return Objects.hash(subject, clientId, authorizedScope, consentGrantedTime, lifetime);
+	}
+}

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/consent/UserConsentRepository.java

@@ -0,0 +1,27 @@
+/*
+ * Copyright 2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.oauth2.server.authorization.consent;
+
+import java.util.Set;
+
+public interface UserConsentRepository {
+
+	Set<UserConsentRecord> findBySubjectAndClientId(String subject, String clientId);
+
+	void saveAll(String subject, String clientId, Set<String> consentedScopes);
+
+	void revokeAll(String subject, String clientId, Set<String> revokedScopes);
+}

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilter.java

@@ -15,23 +15,6 @@
  */
 package org.springframework.security.oauth2.server.authorization.web;
 
-import java.io.IOException;
-import java.nio.charset.StandardCharsets;
-import java.security.Principal;
-import java.time.Instant;
-import java.time.temporal.ChronoUnit;
-import java.util.Arrays;
-import java.util.Base64;
-import java.util.Collections;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Set;
-
-import javax.servlet.FilterChain;
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
 import org.springframework.http.HttpMethod;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.MediaType;
@@ -50,10 +33,13 @@
 import org.springframework.security.oauth2.core.endpoint.PkceParameterNames;
 import org.springframework.security.oauth2.core.oidc.OidcScopes;
 import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
+import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationCode;
 import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
-import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationCode;
+import org.springframework.security.oauth2.server.authorization.consent.InMemoryUserConsentRepository;
+import org.springframework.security.oauth2.server.authorization.consent.UserConsentRecord;
+import org.springframework.security.oauth2.server.authorization.consent.UserConsentRepository;
 import org.springframework.security.web.DefaultRedirectStrategy;
 import org.springframework.security.web.RedirectStrategy;
 import org.springframework.security.web.util.matcher.AndRequestMatcher;
@@ -68,6 +54,24 @@
 import org.springframework.web.filter.OncePerRequestFilter;
 import org.springframework.web.util.UriComponentsBuilder;
 
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.security.Principal;
+import java.time.Instant;
+import java.time.temporal.ChronoUnit;
+import java.util.Arrays;
+import java.util.Base64;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+import java.util.function.Function;
+import java.util.stream.Collectors;
+
 /**
  * A {@code Filter} for the OAuth 2.0 Authorization Code Grant,
  * which handles the processing of the OAuth 2.0 Authorization Request.
@@ -99,6 +103,7 @@ public class OAuth2AuthorizationEndpointFilter extends OncePerRequestFilter {
 	private final StringKeyGenerator codeGenerator = new Base64StringKeyGenerator(Base64.getUrlEncoder().withoutPadding(), 96);
 	private final StringKeyGenerator stateGenerator = new Base64StringKeyGenerator(Base64.getUrlEncoder());
 	private final RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();
+	private final UserConsentRepository userConsentRepository = new InMemoryUserConsentRepository();
 
 	/**
 	 * Constructs an {@code OAuth2AuthorizationEndpointFilter} using the provided parameters.
@@ -198,7 +203,17 @@ private void processAuthorizationRequest(HttpServletRequest request, HttpServlet
 				.attribute(Principal.class.getName(), principal)
 				.attribute(OAuth2AuthorizationRequest.class.getName(), authorizationRequest);
 
-		if (requireUserConsent(registeredClient, authorizationRequest)) {
+		final Set<String> alreadyAuthorizedScopes = new HashSet<>(this.userConsentRepository.findBySubjectAndClientId(
+						principal.getName(),
+						registeredClient.getClientId()))
+				.stream()
+				.map(UserConsentRecord::getAuthorizedScope)
+				.collect(Collectors.toSet());
+		Set<String> scopesRequiringConsent = new HashSet<>(authorizationRequest.getScopes());
+		scopesRequiringConsent.removeAll(alreadyAuthorizedScopes);
+		scopesRequiringConsent.remove(OidcScopes.OPENID);		// openid scope does not require consent
+
+		if (requireUserConsent(registeredClient, authorizationRequest) && !scopesRequiringConsent.isEmpty()) {
 			String state = this.stateGenerator.generateKey();
 			OAuth2Authorization authorization = builder
 					.attribute(OAuth2ParameterNames.STATE, state)
@@ -207,7 +222,8 @@ private void processAuthorizationRequest(HttpServletRequest request, HttpServlet
 
 			// TODO Need to remove 'in-flight' authorization if consent step is not completed (e.g. approved or cancelled)
 
-			UserConsentPage.displayConsent(request, response, registeredClient, authorization);
+			UserConsentPage.displayConsent(request, response, registeredClient, authorization,
+					scopesRequiringConsent, alreadyAuthorizedScopes);
 		} else {
 			Instant issuedAt = Instant.now();
 			Instant expiresAt = issuedAt.plus(5, ChronoUnit.MINUTES);		// TODO Allow configuration for authorization code time-to-live
@@ -269,15 +285,30 @@ private void processUserConsent(HttpServletRequest request, HttpServletResponse
 			return;
 		}
 
-		Instant issuedAt = Instant.now();
-		Instant expiresAt = issuedAt.plus(5, ChronoUnit.MINUTES);		// TODO Allow configuration for authorization code time-to-live
-		OAuth2AuthorizationCode authorizationCode = new OAuth2AuthorizationCode(
-				this.codeGenerator.generateKey(), issuedAt, expiresAt);
-		Set<String> authorizedScopes = userConsentRequestContext.getScopes();
+		Set<String> authorizedScopes = new HashSet<>(userConsentRequestContext.getScopes());
 		if (userConsentRequestContext.getAuthorizationRequest().getScopes().contains(OidcScopes.OPENID)) {
 			// openid scope is auto-approved as it does not require consent
 			authorizedScopes.add(OidcScopes.OPENID);
 		}
+
+		this.userConsentRepository.saveAll(
+				userConsentRequestContext.getAuthorization().getPrincipalName(),
+				userConsentRequestContext.getClientId(),
+				authorizedScopes);
+
+		Set<String> deniedScopes = new HashSet<>(userConsentRequestContext.getAuthorizationRequest().getScopes());
+		deniedScopes.removeAll(authorizedScopes);
+		deniedScopes.remove(OidcScopes.OPENID);
+
+		this.userConsentRepository.revokeAll(
+				userConsentRequestContext.getAuthorization().getPrincipalName(),
+				userConsentRequestContext.getClientId(),
+				deniedScopes);
+
+		Instant issuedAt = Instant.now();
+		Instant expiresAt = issuedAt.plus(5, ChronoUnit.MINUTES);		// TODO Allow configuration for authorization code time-to-live
+		OAuth2AuthorizationCode authorizationCode = new OAuth2AuthorizationCode(
+				this.codeGenerator.generateKey(), issuedAt, expiresAt);
 		OAuth2Authorization authorization = OAuth2Authorization.from(userConsentRequestContext.getAuthorization())
 				.token(authorizationCode)
 				.attributes(attrs -> {
@@ -654,9 +685,11 @@ private static class UserConsentPage {
 		private static final String CONSENT_ACTION_CANCEL = "cancel";
 
 		private static void displayConsent(HttpServletRequest request, HttpServletResponse response,
-				RegisteredClient registeredClient, OAuth2Authorization authorization) throws IOException {
+				RegisteredClient registeredClient, OAuth2Authorization authorization,
+				Set<String> scopesRequiringConsent, Set<String> alreadyAuthorizedScopes) throws IOException {
 
-			String consentPage = generateConsentPage(request, registeredClient, authorization);
+			String consentPage = generateConsentPage(request, registeredClient, authorization,
+					scopesRequiringConsent, alreadyAuthorizedScopes);
 			response.setContentType(TEXT_HTML_UTF8.toString());
 			response.setContentLength(consentPage.getBytes(StandardCharsets.UTF_8).length);
 			response.getWriter().write(consentPage);
@@ -671,12 +704,9 @@ private static boolean isConsentCancelled(HttpServletRequest request) {
 		}
 
 		private static String generateConsentPage(HttpServletRequest request,
-				RegisteredClient registeredClient, OAuth2Authorization authorization) {
+				RegisteredClient registeredClient, OAuth2Authorization authorization,
+				Set<String> scopesRequiringConsent, Set<String> alreadyAuthorizedScopes) {
 
-			OAuth2AuthorizationRequest authorizationRequest = authorization.getAttribute(
-					OAuth2AuthorizationRequest.class.getName());
-			Set<String> scopes = new HashSet<>(authorizationRequest.getScopes());
-			scopes.remove(OidcScopes.OPENID);		// openid scope does not require consent
 			String state = authorization.getAttribute(
 					OAuth2ParameterNames.STATE);
 
@@ -711,7 +741,14 @@ private static String generateConsentPage(HttpServletRequest request,
 			builder.append("                <input type=\"hidden\" name=\"client_id\" value=\"" + registeredClient.getClientId() + "\">");
 			builder.append("                <input type=\"hidden\" name=\"state\" value=\"" + state + "\">");
 
-			for (String scope : scopes) {
+			for (String scope : scopesRequiringConsent) {
+				builder.append("                <div class=\"form-group form-check py-1\">");
+				builder.append("                    <input class=\"form-check-input\" type=\"checkbox\" name=\"scope\" value=\"" + scope + "\" id=\"" + scope + "\">");
+				builder.append("                    <label class=\"form-check-label\" for=\"" + scope + "\">" + scope + "</label>");
+				builder.append("                </div>");
+			}
+
+			for (String scope : alreadyAuthorizedScopes) {
 				builder.append("                <div class=\"form-group form-check py-1\">");
 				builder.append("                    <input class=\"form-check-input\" type=\"checkbox\" name=\"scope\" value=\"" + scope + "\" id=\"" + scope + "\" checked>");
 				builder.append("                    <label class=\"form-check-label\" for=\"" + scope + "\">" + scope + "</label>");