Polish gh-189

Author: jgrandja

oauth2-authorization-server/spring-security-oauth2-authorization-server.gradle

@@ -16,7 +16,6 @@ dependencies {
 	testCompile 'org.assertj:assertj-core'
 	testCompile 'org.mockito:mockito-core'
 	testCompile 'com.jayway.jsonpath:json-path'
-	testCompile 'com.fasterxml.jackson.datatype:jackson-datatype-jsr310'
 
 	provided 'javax.servlet:javax.servlet-api'
 }

oauth2-authorization-server/src/main/java/org/springframework/security/config/annotation/web/configuration/OAuth2AuthorizationServerConfiguration.java

@@ -15,22 +15,35 @@
  */
 package org.springframework.security.config.annotation.web.configuration;
 
+import java.util.HashSet;
+import java.util.Set;
+
+import com.nimbusds.jose.JWSAlgorithm;
+import com.nimbusds.jose.jwk.source.JWKSource;
+import com.nimbusds.jose.proc.JWSKeySelector;
+import com.nimbusds.jose.proc.JWSVerificationKeySelector;
+import com.nimbusds.jose.proc.SecurityContext;
+import com.nimbusds.jwt.proc.ConfigurableJWTProcessor;
+import com.nimbusds.jwt.proc.DefaultJWTProcessor;
+
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.Ordered;
 import org.springframework.core.annotation.Order;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configurers.oauth2.server.authorization.OAuth2AuthorizationServerConfigurer;
 import org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer;
+import org.springframework.security.oauth2.jwt.JwtDecoder;
+import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 
 /**
  * {@link Configuration} for OAuth 2.0 Authorization Server support.
  *
  * @author Joe Grandja
- * @see OAuth2AuthorizationServerConfigurer
  * @since 0.0.1
+ * @see OAuth2AuthorizationServerConfigurer
  */
 @Configuration(proxyBeanMethods = false)
 public class OAuth2AuthorizationServerConfiguration {
@@ -48,16 +61,32 @@ public static void applyDefaultSecurity(HttpSecurity http) throws Exception {
 				new OAuth2AuthorizationServerConfigurer<>();
 		RequestMatcher endpointsMatcher = authorizationServerConfigurer
 				.getEndpointsMatcher();
+
 		http
 			.requestMatcher(endpointsMatcher)
 			.authorizeRequests(authorizeRequests ->
-					authorizeRequests.anyRequest().authenticated()
-			).csrf(csrf -> csrf.ignoringRequestMatchers(endpointsMatcher))
+				authorizeRequests.anyRequest().authenticated()
+			)
+			.csrf(csrf -> csrf.ignoringRequestMatchers(endpointsMatcher))
+			.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt)
 			.apply(authorizationServerConfigurer);
-
-		if (authorizationServerConfigurer.isOidcClientRegistrationEnabled()) {
-			http.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt);
-		}
 	}
 	// @formatter:on
+
+	@Bean
+	public static JwtDecoder jwtDecoder(JWKSource<SecurityContext> jwkSource) {
+		Set<JWSAlgorithm> jwsAlgs = new HashSet<>();
+		jwsAlgs.addAll(JWSAlgorithm.Family.RSA);
+		jwsAlgs.addAll(JWSAlgorithm.Family.EC);
+		jwsAlgs.addAll(JWSAlgorithm.Family.HMAC_SHA);
+		ConfigurableJWTProcessor<SecurityContext> jwtProcessor = new DefaultJWTProcessor<>();
+		JWSKeySelector<SecurityContext> jwsKeySelector =
+				new JWSVerificationKeySelector<>(jwsAlgs, jwkSource);
+		jwtProcessor.setJWSKeySelector(jwsKeySelector);
+		// Override the default Nimbus claims set verifier as NimbusJwtDecoder handles it instead
+		jwtProcessor.setJWTClaimsSetVerifier((claims, context) -> {
+		});
+		return new NimbusJwtDecoder(jwtProcessor);
+	}
+
 }

oauth2-authorization-server/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2AuthorizationServerConfigurer.java

@@ -44,9 +44,9 @@
 import org.springframework.security.oauth2.server.authorization.authentication.OAuth2RefreshTokenAuthenticationProvider;
 import org.springframework.security.oauth2.server.authorization.authentication.OAuth2TokenIntrospectionAuthenticationProvider;
 import org.springframework.security.oauth2.server.authorization.authentication.OAuth2TokenRevocationAuthenticationProvider;
-import org.springframework.security.oauth2.server.authorization.authentication.OidcClientRegistrationAuthenticationProvider;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
 import org.springframework.security.oauth2.server.authorization.config.ProviderSettings;
+import org.springframework.security.oauth2.server.authorization.oidc.authentication.OidcClientRegistrationAuthenticationProvider;
 import org.springframework.security.oauth2.server.authorization.oidc.web.OidcClientRegistrationEndpointFilter;
 import org.springframework.security.oauth2.server.authorization.oidc.web.OidcProviderConfigurationEndpointFilter;
 import org.springframework.security.oauth2.server.authorization.web.NimbusJwkSetEndpointFilter;
@@ -152,17 +152,6 @@ public RequestMatcher getEndpointsMatcher() {
 		return this.endpointsMatcher;
 	}
 
-	/**
-	 * Returns {@code true} if the OIDC Client Registration endpoint is enabled.
-	 * The default is {@code false}.
-	 *
-	 * @return {@code true} if the OIDC Client Registration endpoint is enabled, {@code false} otherwise
-	 */
-	public boolean isOidcClientRegistrationEnabled() {
-		ProviderSettings providerSettings = getProviderSettings(this.getBuilder());
-		return providerSettings.isOidClientRegistrationEndpointEnabled();
-	}
-
 	@Override
 	public void init(B builder) {
 		ProviderSettings providerSettings = getProviderSettings(builder);
@@ -216,10 +205,12 @@ public void init(B builder) {
 						getAuthorizationService(builder));
 		builder.authenticationProvider(postProcess(tokenRevocationAuthenticationProvider));
 
-		OidcClientRegistrationAuthenticationProvider clientRegistrationAuthenticationProvider =
+		// TODO Make OpenID Client Registration an "opt-in" feature
+		OidcClientRegistrationAuthenticationProvider oidcClientRegistrationAuthenticationProvider =
 				new OidcClientRegistrationAuthenticationProvider(
+						getRegisteredClientRepository(builder),
 						getAuthorizationService(builder));
-		builder.authenticationProvider(postProcess(clientRegistrationAuthenticationProvider));
+		builder.authenticationProvider(postProcess(oidcClientRegistrationAuthenticationProvider));
 
 		ExceptionHandlingConfigurer<B> exceptionHandling = builder.getConfigurer(ExceptionHandlingConfigurer.class);
 		if (exceptionHandling != null) {
@@ -246,9 +237,6 @@ public void configure(B builder) {
 			builder.addFilterBefore(postProcess(authorizationServerMetadataEndpointFilter), AbstractPreAuthenticatedProcessingFilter.class);
 		}
 
-		RegisteredClientRepository registeredClientRepository = getRegisteredClientRepository(builder);
-		OAuth2AuthorizationService authorizationService = getAuthorizationService(builder);
-
 		JWKSource<SecurityContext> jwkSource = getJwkSource(builder);
 		NimbusJwkSetEndpointFilter jwkSetEndpointFilter = new NimbusJwkSetEndpointFilter(
 				jwkSource,
@@ -268,8 +256,8 @@ public void configure(B builder) {
 
 		OAuth2AuthorizationEndpointFilter authorizationEndpointFilter =
 				new OAuth2AuthorizationEndpointFilter(
-						registeredClientRepository,
-						authorizationService,
+						getRegisteredClientRepository(builder),
+						getAuthorizationService(builder),
 						providerSettings.authorizationEndpoint());
 		builder.addFilterBefore(postProcess(authorizationEndpointFilter), AbstractPreAuthenticatedProcessingFilter.class);
 
@@ -291,14 +279,12 @@ public void configure(B builder) {
 						providerSettings.tokenRevocationEndpoint());
 		builder.addFilterAfter(postProcess(tokenRevocationEndpointFilter), OAuth2TokenIntrospectionEndpointFilter.class);
 
-		if (providerSettings.isOidClientRegistrationEndpointEnabled()) {
-			OidcClientRegistrationEndpointFilter oidcClientRegistrationEndpointFilter =
-					new OidcClientRegistrationEndpointFilter(
-							registeredClientRepository,
-							authenticationManager,
-							providerSettings.oidcClientRegistrationEndpoint());
-			builder.addFilterAfter(postProcess(oidcClientRegistrationEndpointFilter), OAuth2TokenRevocationEndpointFilter.class);
-		}
+		// TODO Make OpenID Client Registration an "opt-in" feature
+		OidcClientRegistrationEndpointFilter oidcClientRegistrationEndpointFilter =
+				new OidcClientRegistrationEndpointFilter(
+						authenticationManager,
+						providerSettings.oidcClientRegistrationEndpoint());
+		builder.addFilterAfter(postProcess(oidcClientRegistrationEndpointFilter), OAuth2TokenRevocationEndpointFilter.class);
 	}
 
 	private void initEndpointMatchers(ProviderSettings providerSettings) {
@@ -322,8 +308,7 @@ private void initEndpointMatchers(ProviderSettings providerSettings) {
 		this.authorizationServerMetadataEndpointMatcher = new AntPathRequestMatcher(
 				OAuth2AuthorizationServerMetadataEndpointFilter.DEFAULT_OAUTH2_AUTHORIZATION_SERVER_METADATA_ENDPOINT_URI, HttpMethod.GET.name());
 		this.oidcClientRegistrationEndpointMatcher = new AntPathRequestMatcher(
-				providerSettings.oidcClientRegistrationEndpoint(),
-				HttpMethod.POST.name());
+				providerSettings.oidcClientRegistrationEndpoint(), HttpMethod.POST.name());
 	}
 
 	private static void validateProviderSettings(ProviderSettings providerSettings) {

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/core/oidc/OidcClientMetadataClaimAccessor.java

@@ -15,17 +15,18 @@
  */
 package org.springframework.security.oauth2.core.oidc;
 
-import org.springframework.security.oauth2.core.ClaimAccessor;
-import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
-
 import java.time.Instant;
 import java.util.List;
 
+import org.springframework.security.oauth2.core.ClaimAccessor;
+import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm;
+
 /**
- * A {@link ClaimAccessor} for the "claims" that can be returned
- * in the OpenID Client Registration Response.
+ * A {@link ClaimAccessor} for the "claims" that are contained
+ * in the OpenID Client Registration Request and Response.
  *
  * @author Ovidiu Popa
+ * @author Joe Grandja
  * @since 0.1.1
  * @see ClaimAccessor
  * @see OidcClientMetadataClaimNames
@@ -35,96 +36,102 @@
 public interface OidcClientMetadataClaimAccessor extends ClaimAccessor {
 
 	/**
-	 * Returns the redirect URI(s) that the client may use in redirect-based flows.
+	 * Returns the Client Identifier {@code (client_id)}.
 	 *
-	 * @return the {@code List} of redirect URI(s)
+	 * @return the Client Identifier
 	 */
-	default List<String> getRedirectUris() {
-		return getClaimAsStringList(OidcClientMetadataClaimNames.REDIRECT_URIS);
+	default String getClientId() {
+		return getClaimAsString(OidcClientMetadataClaimNames.CLIENT_ID);
 	}
 
 	/**
-	 * Returns the OAuth 2.0 {@code response_type} values that the client may use.
+	 * Returns the time at which the Client Identifier was issued {@code (client_id_issued_at)}.
 	 *
-	 * @return the {@code List} of {@code response_type}
+	 * @return the time at which the Client Identifier was issued
 	 */
-	default List<String> getResponseTypes() {
-		return getClaimAsStringList(OidcClientMetadataClaimNames.RESPONSE_TYPES);
+	default Instant getClientIdIssuedAt() {
+		return getClaimAsInstant(OidcClientMetadataClaimNames.CLIENT_ID_ISSUED_AT);
 	}
 
 	/**
-	 * Returns the authorization {@code grant_types} that the client may use.
+	 * Returns the Client Secret {@code (client_secret)}.
 	 *
-	 * @return the {@code List} of authorization {@code grant_types}
+	 * @return the Client Secret
 	 */
-	default List<String> getGrantTypes() {
-		return getClaimAsStringList(OidcClientMetadataClaimNames.GRANT_TYPES);
+	default String getClientSecret() {
+		return getClaimAsString(OidcClientMetadataClaimNames.CLIENT_SECRET);
+	}
+
+	/**
+	 * Returns the time at which the {@code client_secret} will expire {@code (client_secret_expires_at)}.
+	 *
+	 * @return the time at which the {@code client_secret} will expire
+	 */
+	default Instant getClientSecretExpiresAt() {
+		return getClaimAsInstant(OidcClientMetadataClaimNames.CLIENT_SECRET_EXPIRES_AT);
 	}
 
 	/**
-	 * Returns the {@code client_name}.
+	 * Returns the name of the Client to be presented to the End-User {@code (client_name)}.
 	 *
-	 * @return the {@code client_name}
+	 * @return the name of the Client to be presented to the End-User
 	 */
 	default String getClientName() {
 		return getClaimAsString(OidcClientMetadataClaimNames.CLIENT_NAME);
 	}
 
 	/**
-	 * Returns the scope(s) that the client may use.
+	 * Returns the redirection {@code URI} values used by the Client {@code (redirect_uris)}.
 	 *
-	 * @return the scope(s)
+	 * @return the redirection {@code URI} values used by the Client
 	 */
-	default String getScope() {
-		return getClaimAsString(OidcClientMetadataClaimNames.SCOPE);
+	default List<String> getRedirectUris() {
+		return getClaimAsStringList(OidcClientMetadataClaimNames.REDIRECT_URIS);
 	}
 
 	/**
-	 * Returns the {@link ClientAuthenticationMethod authentication method} that the client may use.
+	 * Returns the authentication method used by the Client for the Token Endpoint {@code (token_endpoint_auth_method)}.
 	 *
-	 * @return the {@link ClientAuthenticationMethod authentication method}
+	 * @return the authentication method used by the Client for the Token Endpoint
 	 */
 	default String getTokenEndpointAuthenticationMethod() {
 		return getClaimAsString(OidcClientMetadataClaimNames.TOKEN_ENDPOINT_AUTH_METHOD);
 	}
 
 	/**
-	 * Returns the {@code client_id}.
+	 * Returns the OAuth 2.0 {@code grant_type} values that the Client will restrict itself to using {@code (grant_types)}.
 	 *
-	 * @return the {@code client_id}
+	 * @return the OAuth 2.0 {@code grant_type} values that the Client will restrict itself to using
 	 */
-	default String getClientId() {
-		return getClaimAsString(OidcClientMetadataClaimNames.CLIENT_ID);
+	default List<String> getGrantTypes() {
+		return getClaimAsStringList(OidcClientMetadataClaimNames.GRANT_TYPES);
 	}
 
 	/**
-	 * Returns the {@code client_id_issued_at} timestamp.
+	 * Returns the OAuth 2.0 {@code response_type} values that the Client will restrict itself to using {@code (response_types)}.
 	 *
-	 * @return the {@code client_id_issued_at} timestamp
+	 * @return the OAuth 2.0 {@code response_type} values that the Client will restrict itself to using
 	 */
-	default Instant getClientIdIssuedAt() {
-		return getClaimAsInstant(OidcClientMetadataClaimNames.CLIENT_ID_ISSUED_AT);
+	default List<String> getResponseTypes() {
+		return getClaimAsStringList(OidcClientMetadataClaimNames.RESPONSE_TYPES);
 	}
 
 	/**
-	 * Returns the {@code client_secret}.
+	 * Returns the OAuth 2.0 {@code scope} values that the Client will restrict itself to using {@code (scope)}.
 	 *
-	 * @return the {@code client_secret}
+	 * @return the OAuth 2.0 {@code scope} values that the Client will restrict itself to using
 	 */
-	default String getClientSecret() {
-		return getClaimAsString(OidcClientMetadataClaimNames.CLIENT_SECRET);
+	default List<String> getScopes() {
+		return getClaimAsStringList(OidcClientMetadataClaimNames.SCOPE);
 	}
 
 	/**
-	 * Returns the {@code client_secret_expires_at} timestamp.
+	 * Returns the {@link SignatureAlgorithm JWS} algorithm required for signing the {@link OidcIdToken ID Token} issued to the Client {@code (id_token_signed_response_alg)}.
 	 *
-	 * @return the {@code client_secret_expires_at} timestamp
+	 * @return the {@link SignatureAlgorithm JWS} algorithm required for signing the {@link OidcIdToken ID Token} issued to the Client
 	 */
-	default Instant getClientSecretExpiresAt() {
-		return getClaimAsInstant(OidcClientMetadataClaimNames.CLIENT_SECRET_EXPIRES_AT);
+	default String getIdTokenSignedResponseAlgorithm() {
+		return getClaimAsString(OidcClientMetadataClaimNames.ID_TOKEN_SIGNED_RESPONSE_ALG);
 	}
 
-
-
-
 }