Implement OpenID client registration endpoint

See: https://openid.net/specs/openid-connect-registration-1_0.html#ClientRegistration

Closes gh-57

Author: ovidiupopa07

oauth2-authorization-server/spring-security-oauth2-authorization-server.gradle

@@ -5,6 +5,7 @@ dependencies {
 	compile 'org.springframework.security:spring-security-web'
 	compile 'org.springframework.security:spring-security-oauth2-core'
 	compile 'org.springframework.security:spring-security-oauth2-jose'
+	compile 'org.springframework.security:spring-security-oauth2-resource-server'
 	compile springCoreDependency
 	compile 'com.nimbusds:nimbus-jose-jwt'
 	compile 'com.fasterxml.jackson.core:jackson-databind'
@@ -15,6 +16,7 @@ dependencies {
 	testCompile 'org.assertj:assertj-core'
 	testCompile 'org.mockito:mockito-core'
 	testCompile 'com.jayway.jsonpath:json-path'
+	testCompile 'com.fasterxml.jackson.datatype:jackson-datatype-jsr310'
 
 	provided 'javax.servlet:javax.servlet-api'
 }

oauth2-authorization-server/src/main/java/org/springframework/security/config/annotation/web/configuration/OAuth2AuthorizationServerConfiguration.java

@@ -21,15 +21,16 @@
 import org.springframework.core.annotation.Order;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configurers.oauth2.server.authorization.OAuth2AuthorizationServerConfigurer;
+import org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 
 /**
  * {@link Configuration} for OAuth 2.0 Authorization Server support.
  *
  * @author Joe Grandja
- * @since 0.0.1
  * @see OAuth2AuthorizationServerConfigurer
+ * @since 0.0.1
  */
 @Configuration(proxyBeanMethods = false)
 public class OAuth2AuthorizationServerConfiguration {
@@ -47,14 +48,16 @@ public static void applyDefaultSecurity(HttpSecurity http) throws Exception {
 				new OAuth2AuthorizationServerConfigurer<>();
 		RequestMatcher endpointsMatcher = authorizationServerConfigurer
 				.getEndpointsMatcher();
-
 		http
 			.requestMatcher(endpointsMatcher)
 			.authorizeRequests(authorizeRequests ->
-				authorizeRequests.anyRequest().authenticated()
-			)
-			.csrf(csrf -> csrf.ignoringRequestMatchers(endpointsMatcher))
+					authorizeRequests.anyRequest().authenticated()
+			).csrf(csrf -> csrf.ignoringRequestMatchers(endpointsMatcher))
 			.apply(authorizationServerConfigurer);
+
+		if (authorizationServerConfigurer.isOidcClientRegistrationEnabled()) {
+			http.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt);
+		}
 	}
 	// @formatter:on
 }

oauth2-authorization-server/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2AuthorizationServerConfigurer.java

@@ -44,8 +44,10 @@
 import org.springframework.security.oauth2.server.authorization.authentication.OAuth2RefreshTokenAuthenticationProvider;
 import org.springframework.security.oauth2.server.authorization.authentication.OAuth2TokenIntrospectionAuthenticationProvider;
 import org.springframework.security.oauth2.server.authorization.authentication.OAuth2TokenRevocationAuthenticationProvider;
+import org.springframework.security.oauth2.server.authorization.authentication.OidcClientRegistrationAuthenticationProvider;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
 import org.springframework.security.oauth2.server.authorization.config.ProviderSettings;
+import org.springframework.security.oauth2.server.authorization.oidc.web.OidcClientRegistrationEndpointFilter;
 import org.springframework.security.oauth2.server.authorization.oidc.web.OidcProviderConfigurationEndpointFilter;
 import org.springframework.security.oauth2.server.authorization.web.NimbusJwkSetEndpointFilter;
 import org.springframework.security.oauth2.server.authorization.web.OAuth2AuthorizationEndpointFilter;
@@ -69,6 +71,7 @@
  * @author Joe Grandja
  * @author Daniel Garnier-Moiroux
  * @author Gerardo Roza
+ * @author Ovidiu Popa
  * @since 0.0.1
  * @see AbstractHttpConfigurer
  * @see RegisteredClientRepository
@@ -81,6 +84,7 @@
  * @see OidcProviderConfigurationEndpointFilter
  * @see OAuth2AuthorizationServerMetadataEndpointFilter
  * @see OAuth2ClientAuthenticationFilter
+ * @see OidcClientRegistrationEndpointFilter
  */
 public final class OAuth2AuthorizationServerConfigurer<B extends HttpSecurityBuilder<B>>
 		extends AbstractHttpConfigurer<OAuth2AuthorizationServerConfigurer<B>, B> {
@@ -92,14 +96,16 @@ public final class OAuth2AuthorizationServerConfigurer<B extends HttpSecurityBui
 	private RequestMatcher jwkSetEndpointMatcher;
 	private RequestMatcher oidcProviderConfigurationEndpointMatcher;
 	private RequestMatcher authorizationServerMetadataEndpointMatcher;
+	private RequestMatcher oidcClientRegistrationEndpointMatcher;
 	private final RequestMatcher endpointsMatcher = (request) ->
 			this.authorizationEndpointMatcher.matches(request) ||
 			this.tokenEndpointMatcher.matches(request) ||
 			this.tokenIntrospectionEndpointMatcher.matches(request) ||
 			this.tokenRevocationEndpointMatcher.matches(request) ||
 			this.jwkSetEndpointMatcher.matches(request) ||
 			this.oidcProviderConfigurationEndpointMatcher.matches(request) ||
-			this.authorizationServerMetadataEndpointMatcher.matches(request);
+			this.authorizationServerMetadataEndpointMatcher.matches(request) ||
+			this.oidcClientRegistrationEndpointMatcher.matches(request);
 
 	/**
 	 * Sets the repository of registered clients.
@@ -146,6 +152,17 @@ public RequestMatcher getEndpointsMatcher() {
 		return this.endpointsMatcher;
 	}
 
+	/**
+	 * Returns {@code true} if the OIDC Client Registration endpoint is enabled.
+	 * The default is {@code false}.
+	 *
+	 * @return {@code true} if the OIDC Client Registration endpoint is enabled, {@code false} otherwise
+	 */
+	public boolean isOidcClientRegistrationEnabled() {
+		ProviderSettings providerSettings = getProviderSettings(this.getBuilder());
+		return providerSettings.isOidClientRegistrationEndpointEnabled();
+	}
+
 	@Override
 	public void init(B builder) {
 		ProviderSettings providerSettings = getProviderSettings(builder);
@@ -199,6 +216,11 @@ public void init(B builder) {
 						getAuthorizationService(builder));
 		builder.authenticationProvider(postProcess(tokenRevocationAuthenticationProvider));
 
+		OidcClientRegistrationAuthenticationProvider clientRegistrationAuthenticationProvider =
+				new OidcClientRegistrationAuthenticationProvider(
+						getAuthorizationService(builder));
+		builder.authenticationProvider(postProcess(clientRegistrationAuthenticationProvider));
+
 		ExceptionHandlingConfigurer<B> exceptionHandling = builder.getConfigurer(ExceptionHandlingConfigurer.class);
 		if (exceptionHandling != null) {
 			exceptionHandling.defaultAuthenticationEntryPointFor(
@@ -224,6 +246,9 @@ public void configure(B builder) {
 			builder.addFilterBefore(postProcess(authorizationServerMetadataEndpointFilter), AbstractPreAuthenticatedProcessingFilter.class);
 		}
 
+		RegisteredClientRepository registeredClientRepository = getRegisteredClientRepository(builder);
+		OAuth2AuthorizationService authorizationService = getAuthorizationService(builder);
+
 		JWKSource<SecurityContext> jwkSource = getJwkSource(builder);
 		NimbusJwkSetEndpointFilter jwkSetEndpointFilter = new NimbusJwkSetEndpointFilter(
 				jwkSource,
@@ -243,8 +268,8 @@ public void configure(B builder) {
 
 		OAuth2AuthorizationEndpointFilter authorizationEndpointFilter =
 				new OAuth2AuthorizationEndpointFilter(
-						getRegisteredClientRepository(builder),
-						getAuthorizationService(builder),
+						registeredClientRepository,
+						authorizationService,
 						providerSettings.authorizationEndpoint());
 		builder.addFilterBefore(postProcess(authorizationEndpointFilter), AbstractPreAuthenticatedProcessingFilter.class);
 
@@ -265,6 +290,15 @@ public void configure(B builder) {
 						authenticationManager,
 						providerSettings.tokenRevocationEndpoint());
 		builder.addFilterAfter(postProcess(tokenRevocationEndpointFilter), OAuth2TokenIntrospectionEndpointFilter.class);
+
+		if (providerSettings.isOidClientRegistrationEndpointEnabled()) {
+			OidcClientRegistrationEndpointFilter oidcClientRegistrationEndpointFilter =
+					new OidcClientRegistrationEndpointFilter(
+							registeredClientRepository,
+							authenticationManager,
+							providerSettings.oidcClientRegistrationEndpoint());
+			builder.addFilterAfter(postProcess(oidcClientRegistrationEndpointFilter), OAuth2TokenRevocationEndpointFilter.class);
+		}
 	}
 
 	private void initEndpointMatchers(ProviderSettings providerSettings) {
@@ -287,6 +321,9 @@ private void initEndpointMatchers(ProviderSettings providerSettings) {
 				OidcProviderConfigurationEndpointFilter.DEFAULT_OIDC_PROVIDER_CONFIGURATION_ENDPOINT_URI, HttpMethod.GET.name());
 		this.authorizationServerMetadataEndpointMatcher = new AntPathRequestMatcher(
 				OAuth2AuthorizationServerMetadataEndpointFilter.DEFAULT_OAUTH2_AUTHORIZATION_SERVER_METADATA_ENDPOINT_URI, HttpMethod.GET.name());
+		this.oidcClientRegistrationEndpointMatcher = new AntPathRequestMatcher(
+				providerSettings.oidcClientRegistrationEndpoint(),
+				HttpMethod.POST.name());
 	}
 
 	private static void validateProviderSettings(ProviderSettings providerSettings) {

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/core/oidc/OidcClientMetadataClaimAccessor.java

@@ -0,0 +1,130 @@
+/*
+ * Copyright 2020-2021 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.oauth2.core.oidc;
+
+import org.springframework.security.oauth2.core.ClaimAccessor;
+import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
+
+import java.time.Instant;
+import java.util.List;
+
+/**
+ * A {@link ClaimAccessor} for the "claims" that can be returned
+ * in the OpenID Client Registration Response.
+ *
+ * @author Ovidiu Popa
+ * @since 0.1.1
+ * @see ClaimAccessor
+ * @see OidcClientMetadataClaimNames
+ * @see OidcClientRegistration
+ * @see <a target="_blank" href="https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata">2. Client Metadata</a>
+ */
+public interface OidcClientMetadataClaimAccessor extends ClaimAccessor {
+
+	/**
+	 * Returns the redirect URI(s) that the client may use in redirect-based flows.
+	 *
+	 * @return the {@code List} of redirect URI(s)
+	 */
+	default List<String> getRedirectUris() {
+		return getClaimAsStringList(OidcClientMetadataClaimNames.REDIRECT_URIS);
+	}
+
+	/**
+	 * Returns the OAuth 2.0 {@code response_type} values that the client may use.
+	 *
+	 * @return the {@code List} of {@code response_type}
+	 */
+	default List<String> getResponseTypes() {
+		return getClaimAsStringList(OidcClientMetadataClaimNames.RESPONSE_TYPES);
+	}
+
+	/**
+	 * Returns the authorization {@code grant_types} that the client may use.
+	 *
+	 * @return the {@code List} of authorization {@code grant_types}
+	 */
+	default List<String> getGrantTypes() {
+		return getClaimAsStringList(OidcClientMetadataClaimNames.GRANT_TYPES);
+	}
+
+	/**
+	 * Returns the {@code client_name}.
+	 *
+	 * @return the {@code client_name}
+	 */
+	default String getClientName() {
+		return getClaimAsString(OidcClientMetadataClaimNames.CLIENT_NAME);
+	}
+
+	/**
+	 * Returns the scope(s) that the client may use.
+	 *
+	 * @return the scope(s)
+	 */
+	default String getScope() {
+		return getClaimAsString(OidcClientMetadataClaimNames.SCOPE);
+	}
+
+	/**
+	 * Returns the {@link ClientAuthenticationMethod authentication method} that the client may use.
+	 *
+	 * @return the {@link ClientAuthenticationMethod authentication method}
+	 */
+	default String getTokenEndpointAuthenticationMethod() {
+		return getClaimAsString(OidcClientMetadataClaimNames.TOKEN_ENDPOINT_AUTH_METHOD);
+	}
+
+	/**
+	 * Returns the {@code client_id}.
+	 *
+	 * @return the {@code client_id}
+	 */
+	default String getClientId() {
+		return getClaimAsString(OidcClientMetadataClaimNames.CLIENT_ID);
+	}
+
+	/**
+	 * Returns the {@code client_id_issued_at} timestamp.
+	 *
+	 * @return the {@code client_id_issued_at} timestamp
+	 */
+	default Instant getClientIdIssuedAt() {
+		return getClaimAsInstant(OidcClientMetadataClaimNames.CLIENT_ID_ISSUED_AT);
+	}
+
+	/**
+	 * Returns the {@code client_secret}.
+	 *
+	 * @return the {@code client_secret}
+	 */
+	default String getClientSecret() {
+		return getClaimAsString(OidcClientMetadataClaimNames.CLIENT_SECRET);
+	}
+
+	/**
+	 * Returns the {@code client_secret_expires_at} timestamp.
+	 *
+	 * @return the {@code client_secret_expires_at} timestamp
+	 */
+	default Instant getClientSecretExpiresAt() {
+		return getClaimAsInstant(OidcClientMetadataClaimNames.CLIENT_SECRET_EXPIRES_AT);
+	}
+
+
+
+
+}

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/core/oidc/OidcClientMetadataClaimNames.java

@@ -0,0 +1,79 @@
+/*
+ * Copyright 2020-2021 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.oauth2.core.oidc;
+
+/**
+ * The names of the "claims" defined by OpenID Client Registration 1.0 that can be returned
+ * in the OpenID Client Registration Response.
+ *
+ * @author Ovidiu Popa
+ * @since 0.1.1
+ * @see <a target="_blank" href="https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata">2. Client Metadata</a>
+ */
+public interface OidcClientMetadataClaimNames {
+
+	//request
+	/**
+	 * {@code redirect_uris} - the redirect URI(s) that the client may use in redirect-based flows
+	 */
+	String REDIRECT_URIS = "redirect_uris";
+
+	/**
+	 * {@code response_types} - the OAuth 2.0 {@code response_type} values that the client may use
+	 */
+	String RESPONSE_TYPES = "response_types";
+
+	/**
+	 * {@code grant_types} - the OAuth 2.0 authorization {@code grant_types} that the client may use
+	 */
+	String GRANT_TYPES = "grant_types";
+
+	/**
+	 * {@code client_name} - the {@code client_name}
+	 */
+	String CLIENT_NAME = "client_name";
+
+	/**
+	 * {@code scope} - the scope(s) that the client may use
+	 */
+	String SCOPE = "scope";
+
+	/**
+	 * {@code token_endpoint_auth_method} - the {@link org.springframework.security.oauth2.core.ClientAuthenticationMethod authentication method} that the client may use.
+	 */
+	String TOKEN_ENDPOINT_AUTH_METHOD = "token_endpoint_auth_method";
+
+	//response
+	/**
+	 * {@code client_id} - the {@code client_id}
+	 */
+	String CLIENT_ID = "client_id";
+
+	/**
+	 * {@code client_secret} - the {@code client_secret}
+	 */
+	String CLIENT_SECRET = "client_secret";
+
+	/**
+	 * {@code client_id_issued_at} - the timestamp when the client id was issued
+	 */
+	String CLIENT_ID_ISSUED_AT = "client_id_issued_at";
+
+	/**
+	 * {@code client_secret_expires_at} - the timestamp when the client secret expires
+	 */
+	String CLIENT_SECRET_EXPIRES_AT = "client_secret_expires_at";
+}