Refactor validation and attributes

Author: sjohnr

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2TokenExchangeAuthenticationProvider.java

@@ -180,6 +180,13 @@ public Authentication authenticate(Authentication authentication) throws Authent
 			throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_REQUEST);
 		}
 
+		if (subjectAuthorization.getAttribute(Principal.class.getName()) == null) {
+			// As per https://datatracker.ietf.org/doc/html/rfc8693#section-1.1,
+			// we require a principal to be available via the subject_token for
+			// impersonation or delegation use cases.
+			throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_GRANT);
+		}
+
 		OAuth2Authorization actorAuthorization = null;
 		if (StringUtils.hasText(tokenExchangeAuthentication.getActorToken())) {
 			actorAuthorization = this.authorizationService.findByToken(
@@ -209,30 +216,22 @@ public Authentication authenticate(Authentication authentication) throws Authent
 
 		Set<String> authorizedScopes = Collections.emptySet();
 		if (!CollectionUtils.isEmpty(tokenExchangeAuthentication.getScopes())) {
-			for (String requestedScope : tokenExchangeAuthentication.getScopes()) {
-				if (!registeredClient.getScopes().contains(requestedScope)) {
-					throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_SCOPE);
-				}
-			}
-			authorizedScopes = new LinkedHashSet<>(tokenExchangeAuthentication.getScopes());
+			authorizedScopes = validateRequestedScopes(registeredClient, tokenExchangeAuthentication.getScopes());
+		} else if (!CollectionUtils.isEmpty(subjectAuthorization.getAuthorizedScopes())) {
+			authorizedScopes = validateRequestedScopes(registeredClient, subjectAuthorization.getAuthorizedScopes());
 		}
 
 		if (this.logger.isTraceEnabled()) {
 			this.logger.trace("Validated token request parameters");
 		}
 
-		if (CollectionUtils.isEmpty(authorizedScopes)) {
-			// TODO: Validate that original authorizedScopes are also configured for this client?
-			authorizedScopes = new LinkedHashSet<>(subjectAuthorization.getAuthorizedScopes());
-		}
-
-		Authentication compositePrincipal = createCompositePrincipal(subjectAuthorization, actorAuthorization);
+		Authentication principal = getPrincipal(subjectAuthorization, actorAuthorization);
 
 		// @formatter:off
 		DefaultOAuth2TokenContext.Builder tokenContextBuilder = DefaultOAuth2TokenContext.builder()
 				.registeredClient(registeredClient)
 				.authorization(subjectAuthorization)
-				.principal(compositePrincipal)
+				.principal(principal)
 				.authorizationServerContext(AuthorizationServerContextHolder.getContext())
 				.authorizedScopes(authorizedScopes)
 				.tokenType(OAuth2TokenType.ACCESS_TOKEN)
@@ -262,9 +261,8 @@ public Authentication authenticate(Authentication authentication) throws Authent
 				.principalName(subjectAuthorization.getPrincipalName())
 				.authorizationGrantType(TOKEN_EXCHANGE)
 				.authorizedScopes(authorizedScopes)
-				.attribute(Principal.class.getName(), compositePrincipal);
+				.attribute(Principal.class.getName(), principal);
 		// @formatter:on
-		// TODO: Add information about the original subject and actor authorizations?
 
 		if (generatedAccessToken instanceof ClaimAccessor) {
 			authorizationBuilder.token(accessToken, (metadata) -> {
@@ -293,15 +291,19 @@ public Authentication authenticate(Authentication authentication) throws Authent
 				registeredClient, clientPrincipal, accessToken, null, additionalParameters);
 	}
 
-	private static Authentication createCompositePrincipal(OAuth2Authorization subjectAuthorization, OAuth2Authorization actorAuthorization) {
-		Authentication subjectPrincipal = subjectAuthorization.getAttribute(Principal.class.getName());
-		if (subjectPrincipal == null) {
-			// As per https://datatracker.ietf.org/doc/html/rfc8693#section-1.1,
-			// we require a principal to be available via the subject_token for
-			// impersonation or delegation use cases.
-			throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_GRANT);
+	private static Set<String> validateRequestedScopes(RegisteredClient registeredClient, Set<String> requestedScopes) {
+		for (String requestedScope : requestedScopes) {
+			if (!registeredClient.getScopes().contains(requestedScope)) {
+				throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_SCOPE);
+			}
 		}
 
+		return new LinkedHashSet<>(requestedScopes);
+	}
+
+	private static Authentication getPrincipal(OAuth2Authorization subjectAuthorization, OAuth2Authorization actorAuthorization) {
+		Authentication subjectPrincipal = subjectAuthorization.getAttribute(Principal.class.getName());
+
 		List<Authentication> actorPrincipals = new LinkedList<>();
 		if (actorAuthorization != null) {
 			actorPrincipals.add(new OAuth2ActorAuthenticationToken(actorAuthorization.getPrincipalName()));
@@ -317,7 +319,8 @@ private static Authentication createCompositePrincipal(OAuth2Authorization subje
 			//  actors exist but no actor_token exists on this request?
 		}
 
-		return new OAuth2CompositeAuthenticationToken(subjectPrincipal, actorPrincipals);
+		return CollectionUtils.isEmpty(actorPrincipals) ? subjectPrincipal :
+				new OAuth2CompositeAuthenticationToken(subjectPrincipal, actorPrincipals);
 	}
 
 	@Override

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/token/JwtGenerator.java

@@ -162,7 +162,7 @@ public Jwt generate(OAuth2TokenContext context) {
 				for (Authentication actorPrincipal : compositeAuthenticationToken.getActors()) {
 					Map<String, Object> actClaim = new HashMap<>();
 					actClaim.put("sub", actorPrincipal.getName());
-					currentClaims.put("act", actClaim);
+					currentClaims.put("act", Collections.unmodifiableMap(actClaim));
 					currentClaims = actClaim;
 				}
 			});