spring-projects
diff --git a/‎oauth2-authorization-server/spring-security-oauth2-authorization-server.gradle
+2 b/‎oauth2-authorization-server/spring-security-oauth2-authorization-server.gradle
+2
diff --git a/‎oauth2-authorization-server/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2AuthorizationServerConfigurer.java
+45-3 b/‎oauth2-authorization-server/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2AuthorizationServerConfigurer.java
+45-3
diff --git a/‎oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/TokenType.java
+1 b/‎oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/TokenType.java
+1
diff --git a/‎oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2TokenIntrospectionAuthenticationProvider.java
+179 b/‎oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2TokenIntrospectionAuthenticationProvider.java
+179
@@ -7,6 +7,7 @@ dependencies {
 	compile 'org.springframework.security:spring-security-oauth2-jose'
 	compile springCoreDependency
 	compile 'com.nimbusds:nimbus-jose-jwt'
+	compile 'com.nimbusds:oauth2-oidc-sdk'
 	compile 'com.fasterxml.jackson.core:jackson-databind'
 
 	testCompile 'org.springframework.security:spring-security-test'
@@ -15,6 +16,7 @@ dependencies {
 	testCompile 'org.assertj:assertj-core'
 	testCompile 'org.mockito:mockito-core'
 	testCompile 'com.jayway.jsonpath:json-path'
+	testCompile 'org.hamcrest:hamcrest:2.2'
 
 	provided 'javax.servlet:javax.servlet-api'
 }
 
@@ -24,21 +24,28 @@
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.config.annotation.web.configurers.ExceptionHandlingConfigurer;
+import org.springframework.security.crypto.key.AsymmetricKey;
+import org.springframework.security.crypto.key.CryptoKey;
 import org.springframework.security.crypto.key.CryptoKeySource;
+import org.springframework.security.crypto.key.SymmetricKey;
 import org.springframework.security.oauth2.jose.jws.NimbusJwsEncoder;
+import org.springframework.security.oauth2.jwt.JwtDecoder;
+import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
 import org.springframework.security.oauth2.server.authorization.InMemoryOAuth2AuthorizationService;
 import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
 import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeAuthenticationProvider;
 import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationProvider;
 import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientCredentialsAuthenticationProvider;
 import org.springframework.security.oauth2.server.authorization.authentication.OAuth2RefreshTokenAuthenticationProvider;
+import org.springframework.security.oauth2.server.authorization.authentication.OAuth2TokenIntrospectionAuthenticationProvider;
 import org.springframework.security.oauth2.server.authorization.authentication.OAuth2TokenRevocationAuthenticationProvider;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
 import org.springframework.security.oauth2.server.authorization.config.ProviderSettings;
 import org.springframework.security.oauth2.server.authorization.web.JwkSetEndpointFilter;
 import org.springframework.security.oauth2.server.authorization.web.OAuth2AuthorizationEndpointFilter;
 import org.springframework.security.oauth2.server.authorization.web.OAuth2ClientAuthenticationFilter;
 import org.springframework.security.oauth2.server.authorization.web.OAuth2TokenEndpointFilter;
+import org.springframework.security.oauth2.server.authorization.web.OAuth2TokenIntrospectionEndpointFilter;
 import org.springframework.security.oauth2.server.authorization.web.OAuth2TokenRevocationEndpointFilter;
 import org.springframework.security.oauth2.server.authorization.web.OidcProviderConfigurationEndpointFilter;
 import org.springframework.security.web.AuthenticationEntryPoint;
@@ -55,7 +62,11 @@
 import org.springframework.util.StringUtils;
 
 import java.net.URI;
+import java.security.Key;
+import java.security.interfaces.RSAPublicKey;
+import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.Collection;
 import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.Map;
@@ -65,12 +76,14 @@
  *
  * @author Joe Grandja
  * @author Daniel Garnier-Moiroux
+ * @author Gerardo Roza
  * @since 0.0.1
  * @see AbstractHttpConfigurer
  * @see RegisteredClientRepository
  * @see OAuth2AuthorizationService
  * @see OAuth2AuthorizationEndpointFilter
  * @see OAuth2TokenEndpointFilter
+ * @see OAuth2TokenIntrospectionEndpointFilter
  * @see OAuth2TokenRevocationEndpointFilter
  * @see JwkSetEndpointFilter
  * @see OidcProviderConfigurationEndpointFilter
@@ -88,6 +101,8 @@ public final class OAuth2AuthorizationServerConfigurer<B extends HttpSecurityBui
 					HttpMethod.POST.name()));
 	private final RequestMatcher tokenEndpointMatcher = new AntPathRequestMatcher(
 			OAuth2TokenEndpointFilter.DEFAULT_TOKEN_ENDPOINT_URI, HttpMethod.POST.name());
+	private final RequestMatcher tokenIntrospectionMatcher = new AntPathRequestMatcher(
+			OAuth2TokenIntrospectionEndpointFilter.DEFAULT_TOKEN_INTROSPECTION_ENDPOINT_URI, HttpMethod.POST.name());
 	private final RequestMatcher tokenRevocationEndpointMatcher = new AntPathRequestMatcher(
 			OAuth2TokenRevocationEndpointFilter.DEFAULT_TOKEN_REVOCATION_ENDPOINT_URI, HttpMethod.POST.name());
 	private final RequestMatcher jwkSetEndpointMatcher = new AntPathRequestMatcher(
@@ -152,7 +167,7 @@ public List<RequestMatcher> getEndpointMatchers() {
 		// TODO Initialize matchers using URI's from ProviderSettings
 		return Arrays.asList(this.authorizationEndpointMatcher, this.tokenEndpointMatcher,
 				this.tokenRevocationEndpointMatcher, this.jwkSetEndpointMatcher,
-				this.oidcProviderConfigurationEndpointMatcher);
+				this.oidcProviderConfigurationEndpointMatcher, this.tokenIntrospectionMatcher);
 	}
 
 	@Override
@@ -192,11 +207,17 @@ public void init(B builder) {
 						getAuthorizationService(builder));
 		builder.authenticationProvider(postProcess(tokenRevocationAuthenticationProvider));
 
+		OAuth2TokenIntrospectionAuthenticationProvider tokenIntrospectionAuthenticationProvider =
+				new OAuth2TokenIntrospectionAuthenticationProvider(
+						getAuthorizationService(builder), getJwtDecoders(builder));
+		builder.authenticationProvider(postProcess(tokenIntrospectionAuthenticationProvider));
+
 		ExceptionHandlingConfigurer<B> exceptionHandling = builder.getConfigurer(ExceptionHandlingConfigurer.class);
 		if (exceptionHandling != null) {
 			LinkedHashMap<RequestMatcher, AuthenticationEntryPoint> entryPoints = new LinkedHashMap<>();
 			entryPoints.put(
-					new OrRequestMatcher(this.tokenEndpointMatcher, this.tokenRevocationEndpointMatcher),
+					new OrRequestMatcher(this.tokenEndpointMatcher, this.tokenRevocationEndpointMatcher,
+							this.tokenIntrospectionMatcher),
 					new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED));
 			DelegatingAuthenticationEntryPoint authenticationEntryPoint =
 					new DelegatingAuthenticationEntryPoint(entryPoints);
@@ -229,7 +250,8 @@ public void configure(B builder) {
 		OAuth2ClientAuthenticationFilter clientAuthenticationFilter =
 				new OAuth2ClientAuthenticationFilter(
 						authenticationManager,
-						new OrRequestMatcher(this.tokenEndpointMatcher, this.tokenRevocationEndpointMatcher));
+						new OrRequestMatcher(this.tokenEndpointMatcher, this.tokenRevocationEndpointMatcher,
+								this.tokenIntrospectionMatcher));
 		builder.addFilterAfter(postProcess(clientAuthenticationFilter), AbstractPreAuthenticatedProcessingFilter.class);
 
 		OAuth2AuthorizationEndpointFilter authorizationEndpointFilter =
@@ -251,6 +273,12 @@ public void configure(B builder) {
 						authenticationManager,
 						providerSettings.tokenRevocationEndpoint());
 		builder.addFilterAfter(postProcess(tokenRevocationEndpointFilter), OAuth2TokenEndpointFilter.class);
+
+		OAuth2TokenIntrospectionEndpointFilter tokenIntrospectionEndpointFilter =
+				new OAuth2TokenIntrospectionEndpointFilter(
+						authenticationManager,
+						providerSettings.tokenIntrospectionEndpoint());
+		builder.addFilterAfter(postProcess(tokenIntrospectionEndpointFilter), OAuth2TokenEndpointFilter.class);
 	}
 
 	private static <B extends HttpSecurityBuilder<B>> RegisteredClientRepository getRegisteredClientRepository(B builder) {
@@ -278,6 +306,20 @@ private static <B extends HttpSecurityBuilder<B>> OAuth2AuthorizationService get
 		return authorizationService;
 	}
 
+	private static <B extends HttpSecurityBuilder<B>> Collection<JwtDecoder> getJwtDecoders(B builder) {
+		Collection<JwtDecoder> jwtDecoders = new ArrayList<>();
+		for (CryptoKey<? extends Key> cryptoKey : getKeySource(builder).getKeys()) {
+			if (AsymmetricKey.class.isAssignableFrom(cryptoKey.getClass())
+					&& RSAPublicKey.class.isAssignableFrom(((AsymmetricKey) cryptoKey).getPublicKey().getClass())) {
+				jwtDecoders.add(NimbusJwtDecoder
+						.withPublicKey((RSAPublicKey) ((AsymmetricKey) cryptoKey).getPublicKey()).build());
+			} else if (SymmetricKey.class.isAssignableFrom(cryptoKey.getClass())) {
+				jwtDecoders.add(NimbusJwtDecoder.withSecretKey(((SymmetricKey) cryptoKey).getKey()).build());
+			}
+		}
+		return jwtDecoders;
+	}
+
 	private static <B extends HttpSecurityBuilder<B>> OAuth2AuthorizationService getAuthorizationServiceBean(B builder) {
 		Map<String, OAuth2AuthorizationService> authorizationServiceMap = BeanFactoryUtils.beansOfTypeIncludingAncestors(
 				builder.getSharedObject(ApplicationContext.class), OAuth2AuthorizationService.class);
 
@@ -26,6 +26,7 @@ public final class TokenType implements Serializable {
 	private static final long serialVersionUID = Version.SERIAL_VERSION_UID;
 	public static final TokenType ACCESS_TOKEN = new TokenType("access_token");
 	public static final TokenType REFRESH_TOKEN = new TokenType("refresh_token");
+	public static final TokenType ID_TOKEN = new TokenType("id_token");
 	public static final TokenType AUTHORIZATION_CODE = new TokenType("authorization_code");
 	private final String value;
 
 
@@ -0,0 +1,179 @@
+/*
+ * Copyright 2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.oauth2.server.authorization.authentication;
+
+import static org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthenticationProviderUtils.getAuthenticatedClientElseThrowInvalidClient;
+
+import java.util.Collection;
+import java.util.stream.Collectors;
+
+import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.oauth2.core.AbstractOAuth2Token;
+import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
+import org.springframework.security.oauth2.core.OAuth2Error;
+import org.springframework.security.oauth2.core.OAuth2ErrorCodes2;
+import org.springframework.security.oauth2.core.OAuth2TokenValidator;
+import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult;
+import org.springframework.security.oauth2.jwt.Jwt;
+import org.springframework.security.oauth2.jwt.JwtDecoder;
+import org.springframework.security.oauth2.jwt.JwtException;
+import org.springframework.security.oauth2.jwt.JwtTimestampValidator;
+import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
+import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
+import org.springframework.security.oauth2.server.authorization.TokenType;
+import org.springframework.security.oauth2.server.authorization.Version;
+import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
+import org.springframework.security.oauth2.server.authorization.token.TokenExpirationValidator;
+import org.springframework.util.Assert;
+import org.springframework.util.StringUtils;
+
+/**
+ * An {@link AuthenticationProvider} implementation for OAuth 2.0 Token Introspection.
+ *
+ * @author Gerardo Roza
+ * @since 0.0.4
+ * @see OAuth2TokenIntrospectionAuthenticationToken
+ * @see OAuth2AuthorizationService
+ * @see <a target="_blank" href="https://tools.ietf.org/html/rfc7662#section-2.1">Section 2.1 - Introspection Request</a>
+ */
+public class OAuth2TokenIntrospectionAuthenticationProvider implements AuthenticationProvider {
+	private final OAuth2AuthorizationService authorizationService;
+	private final Collection<JwtDecoder> jwtDecoders;
+
+	/**
+	 * Constructs an {@code OAuth2TokenIntrospectionAuthenticationProvider} using the provided parameters.
+	 *
+	 * @param authorizationService the authorization service
+	 * @param jwtDecoders all available decoders that might be used to parse the token as a JWT-encoded token
+	 */
+	public OAuth2TokenIntrospectionAuthenticationProvider(OAuth2AuthorizationService authorizationService,
+			Collection<JwtDecoder> jwtDecoders) {
+		Assert.notNull(authorizationService, "authorizationService cannot be null");
+		this.authorizationService = authorizationService;
+		this.jwtDecoders = jwtDecoders;
+	}
+
+	@Override
+	public Authentication authenticate(Authentication authentication) throws AuthenticationException {
+		OAuth2TokenIntrospectionAuthenticationToken tokenIntrospectionAuthentication = (OAuth2TokenIntrospectionAuthenticationToken) authentication;
+
+		OAuth2ClientAuthenticationToken clientPrincipal = getAuthenticatedClientElseThrowInvalidClient(
+				tokenIntrospectionAuthentication);
+		RegisteredClient registeredClient = clientPrincipal.getRegisteredClient();
+
+		TokenType tokenType = null;
+
+		try {
+			String tokenTypeHint = tokenIntrospectionAuthentication.getTokenTypeHint();
+			if (StringUtils.hasText(tokenTypeHint)) {
+				if (TokenType.REFRESH_TOKEN.getValue().equals(tokenTypeHint)) {
+					tokenType = TokenType.REFRESH_TOKEN;
+				} else if (TokenType.ACCESS_TOKEN.getValue().equals(tokenTypeHint)) {
+					tokenType = TokenType.ACCESS_TOKEN;
+				} else if (TokenType.ID_TOKEN.getValue().equals(tokenTypeHint)) {
+					tokenType = TokenType.ID_TOKEN;
+				} else {
+					throw new OAuth2AuthenticationException(new OAuth2Error(OAuth2ErrorCodes2.UNSUPPORTED_TOKEN_TYPE));
+				}
+			}
+
+			OAuth2Authorization authorization = this.authorizationService
+					.findByToken(tokenIntrospectionAuthentication.getTokenValue(), tokenType);
+			if (authorization == null) {
+				throw new IntrospectionTokenException("Token not found");
+			}
+
+			if (!registeredClient.getId().equals(authorization.getRegisteredClientId())) {
+				throw new IntrospectionTokenException("Invalid client");
+			}
+
+			AbstractOAuth2Token token = authorization.getTokens().getToken(tokenIntrospectionAuthentication.getTokenValue())
+					.get();
+
+			if (authorization.getTokens().getTokenMetadata(token).isInvalidated()) {
+				throw new IntrospectionTokenException("Token has been invalidated");
+			}
+
+			token = parseJwt(token);
+
+			validateToken(token);
+
+			return new OAuth2TokenIntrospectionAuthenticationToken(clientPrincipal, registeredClient.getClientId(), token);
+		} catch (IntrospectionTokenException exception) {
+			return new OAuth2TokenIntrospectionAuthenticationToken(clientPrincipal, registeredClient.getClientId(), null);
+		}
+	}
+
+	@Override
+	public boolean supports(Class<?> authentication) {
+		return OAuth2TokenIntrospectionAuthenticationToken.class.isAssignableFrom(authentication);
+	}
+
+	private AbstractOAuth2Token parseJwt(AbstractOAuth2Token token) {
+		for (JwtDecoder jwtDecoder : this.jwtDecoders) {
+			try {
+				return jwtDecoder.decode(token.getTokenValue());
+			} catch (JwtException ex) {
+				// token might not be a JWT, or can't be processed with this decoder.
+			}
+		}
+		return token;
+	}
+
+	@SuppressWarnings("unchecked")
+	private <T extends AbstractOAuth2Token> void validateToken(T token) {
+		OAuth2TokenValidator<T> tokenValidator = (token instanceof Jwt) ? (OAuth2TokenValidator<T>) new JwtTimestampValidator()
+				: (OAuth2TokenValidator<T>) new TokenExpirationValidator();
+		OAuth2TokenValidatorResult result = tokenValidator.validate(token);
+		if (result.hasErrors()) {
+			String errorMessages = result.getErrors().stream().map(OAuth2Error::getErrorCode)
+					.collect(Collectors.joining(", ", "Invalid Token:", "."));
+			throw new IntrospectionTokenException(errorMessages);
+		}
+	}
+
+	/**
+	 * Exception that can be triggered when a token is found invalid.
+	 *
+	 * @author Gerardo Roza
+	 */
+	private static class IntrospectionTokenException extends RuntimeException {
+
+		private static final long serialVersionUID = Version.SERIAL_VERSION_UID;
+
+		/**
+		 * Construct an instance of {@link IntrospectionTokenException} given the provided description.
+		 *
+		 * @param description the description
+		 */
+		IntrospectionTokenException(String description) {
+			this(description, null);
+		}
+
+		/**
+		 * Construct an instance of {@link IntrospectionTokenException} given the provided description and cause
+		 *
+		 * @param description the description
+		 * @param cause the causing exception
+		 */
+		IntrospectionTokenException(String description, Throwable cause) {
+			super(description, cause);
+		}
+	}
+
+}