Support authorization_code grant for OAuth2 client

This commit also refactors OAuth2 client properties. With
the added support for authorization_code clients, client
registrations are now divided into `login` and `authorization_code`.
An environment post processor is used for backward compatibility with
old Open ID Connect login clients.

Closes gh-13812

Author: mbhave

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/client/ClientsConfiguredCondition.java

@@ -16,6 +16,7 @@
 package org.springframework.boot.autoconfigure.security.oauth2.client;
 
 import java.util.Collections;
+import java.util.HashMap;
 import java.util.Map;
 import java.util.stream.Collectors;
 
@@ -37,29 +38,44 @@
  */
 public class ClientsConfiguredCondition extends SpringBootCondition {
 
-	private static final Bindable<Map<String, OAuth2ClientProperties.Registration>> STRING_REGISTRATION_MAP = Bindable
-			.mapOf(String.class, OAuth2ClientProperties.Registration.class);
+	private static final Bindable<Map<String, OAuth2ClientProperties.LoginClientRegistration>> STRING_LOGIN_REGISTRATION_MAP = Bindable
+			.mapOf(String.class, OAuth2ClientProperties.LoginClientRegistration.class);
+
+	private static final Bindable<Map<String, OAuth2ClientProperties.AuthorizationCodeClientRegistration>> STRING_AUTHORIZATIONCODE_REGISTRATION_MAP = Bindable
+			.mapOf(String.class,
+					OAuth2ClientProperties.AuthorizationCodeClientRegistration.class);
 
 	@Override
 	public ConditionOutcome getMatchOutcome(ConditionContext context,
 			AnnotatedTypeMetadata metadata) {
 		ConditionMessage.Builder message = ConditionMessage
 				.forCondition("OAuth2 Clients Configured Condition");
-		Map<String, OAuth2ClientProperties.Registration> registrations = getRegistrations(
+		Map<String, OAuth2ClientProperties.BaseClientRegistration> registrations = getRegistrations(
 				context.getEnvironment());
 		if (!registrations.isEmpty()) {
-			return ConditionOutcome.match(message
-					.foundExactly("registered clients " + registrations.values().stream()
-							.map(OAuth2ClientProperties.Registration::getClientId)
+			return ConditionOutcome.match(message.foundExactly(
+					"registered clients " + registrations.values().stream().map(
+							OAuth2ClientProperties.BaseClientRegistration::getClientId)
 							.collect(Collectors.joining(", "))));
 		}
 		return ConditionOutcome.noMatch(message.notAvailable("registered clients"));
 	}
 
-	private Map<String, OAuth2ClientProperties.Registration> getRegistrations(
+	private Map<String, OAuth2ClientProperties.BaseClientRegistration> getRegistrations(
 			Environment environment) {
-		return Binder.get(environment).bind("spring.security.oauth2.client.registration",
-				STRING_REGISTRATION_MAP).orElse(Collections.emptyMap());
+		Map<String, OAuth2ClientProperties.BaseClientRegistration> registrations = new HashMap();
+		Map<String, OAuth2ClientProperties.LoginClientRegistration> loginClientRegistrations = Binder
+				.get(environment).bind("spring.security.oauth2.client.registration.login",
+						STRING_LOGIN_REGISTRATION_MAP)
+				.orElse(Collections.emptyMap());
+		Map<String, OAuth2ClientProperties.AuthorizationCodeClientRegistration> authCodeClientRegistrations = Binder
+				.get(environment)
+				.bind("spring.security.oauth2.client.registration.authorizationcode",
+						STRING_AUTHORIZATIONCODE_REGISTRATION_MAP)
+				.orElse(Collections.emptyMap());
+		registrations.putAll(loginClientRegistrations);
+		registrations.putAll(authCodeClientRegistrations);
+		return registrations;
 	}
 
 }

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/client/OAuth2ClientProperties.java

@@ -44,31 +44,105 @@ public class OAuth2ClientProperties {
 	/**
 	 * OAuth client registrations.
 	 */
-	private final Map<String, Registration> registration = new HashMap<>();
+	private final Registration registration = new Registration();
 
 	public Map<String, Provider> getProvider() {
 		return this.provider;
 	}
 
-	public Map<String, Registration> getRegistration() {
+	public Registration getRegistration() {
 		return this.registration;
 	}
 
 	@PostConstruct
 	public void validate() {
-		this.getRegistration().values().forEach(this::validateRegistration);
+		this.getRegistration().getLogin().values().forEach(this::validateRegistration);
+		this.getRegistration().getAuthorizationCode().values()
+				.forEach(this::validateRegistration);
 	}
 
-	private void validateRegistration(Registration registration) {
+	private void validateRegistration(BaseClientRegistration registration) {
 		if (!StringUtils.hasText(registration.getClientId())) {
 			throw new IllegalStateException("Client id must not be empty.");
 		}
 	}
 
+	public static class Registration {
+
+		/**
+		 * OpenID Connect client registrations.
+		 */
+		private Map<String, LoginClientRegistration> login = new HashMap<>();
+
+		/**
+		 * OAuth2 authorization_code client registrations.
+		 */
+		private Map<String, AuthorizationCodeClientRegistration> authorizationCode = new HashMap<>();
+
+		public Map<String, LoginClientRegistration> getLogin() {
+			return this.login;
+		}
+
+		public void setLogin(Map<String, LoginClientRegistration> login) {
+			this.login = login;
+		}
+
+		public Map<String, AuthorizationCodeClientRegistration> getAuthorizationCode() {
+			return this.authorizationCode;
+		}
+
+		public void setAuthorizationCode(
+				Map<String, AuthorizationCodeClientRegistration> authorizationCode) {
+			this.authorizationCode = authorizationCode;
+		}
+
+	}
+
 	/**
-	 * A single client registration.
+	 * A single client registration for OpenID Connect login.
 	 */
-	public static class Registration {
+	public static class LoginClientRegistration extends BaseClientRegistration {
+
+		/**
+		 * Redirect URI. May be left blank when using a pre-defined provider.
+		 */
+		private String redirectUriTemplate;
+
+		public String getRedirectUriTemplate() {
+			return this.redirectUriTemplate;
+		}
+
+		public void setRedirectUriTemplate(String redirectUriTemplate) {
+			this.redirectUriTemplate = redirectUriTemplate;
+		}
+
+	}
+
+	/**
+	 * A single client registration for OAuth2 authorization_code flow.
+	 */
+	public static class AuthorizationCodeClientRegistration
+			extends BaseClientRegistration {
+
+		/**
+		 * Redirect URI for the registration.
+		 */
+		private String redirectUri;
+
+		public String getRedirectUri() {
+			return this.redirectUri;
+		}
+
+		public void setRedirectUri(String redirectUri) {
+			this.redirectUri = redirectUri;
+		}
+
+	}
+
+	/**
+	 * Base class for a single client registration.
+	 */
+	public static class BaseClientRegistration {
 
 		/**
 		 * Reference to the OAuth 2.0 provider to use. May reference an element from the
@@ -98,11 +172,6 @@ public static class Registration {
 		 */
 		private String authorizationGrantType;
 
-		/**
-		 * Redirect URI. May be left blank when using a pre-defined provider.
-		 */
-		private String redirectUriTemplate;
-
 		/**
 		 * Authorization scopes. May be left blank when using a pre-defined provider.
 		 */
@@ -153,14 +222,6 @@ public void setAuthorizationGrantType(String authorizationGrantType) {
 			this.authorizationGrantType = authorizationGrantType;
 		}
 
-		public String getRedirectUriTemplate() {
-			return this.redirectUriTemplate;
-		}
-
-		public void setRedirectUriTemplate(String redirectUriTemplate) {
-			this.redirectUriTemplate = redirectUriTemplate;
-		}
-
 		public Set<String> getScope() {
 			return this.scope;
 		}

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/client/OAuth2ClientPropertiesEnvironmentPostProcessor.java

@@ -0,0 +1,115 @@
+/*
+ * Copyright 2012-2018 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.boot.autoconfigure.security.oauth2.client;
+
+import java.util.Collections;
+import java.util.LinkedHashMap;
+import java.util.Map;
+import java.util.function.Supplier;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.context.config.ConfigFileApplicationListener;
+import org.springframework.boot.context.properties.bind.Bindable;
+import org.springframework.boot.context.properties.bind.Binder;
+import org.springframework.boot.context.properties.source.ConfigurationPropertyName;
+import org.springframework.boot.context.properties.source.ConfigurationPropertySource;
+import org.springframework.boot.context.properties.source.ConfigurationPropertySources;
+import org.springframework.boot.env.EnvironmentPostProcessor;
+import org.springframework.core.Ordered;
+import org.springframework.core.env.ConfigurableEnvironment;
+import org.springframework.core.env.MapPropertySource;
+
+/**
+ * {@link EnvironmentPostProcessor} that migrates legacy OAuth2 login client properties
+ * under the `spring.security.oauth2.client.login` prefix.
+ *
+ * @author Madhura Bhave
+ * @since 2.1.0
+ */
+public class OAuth2ClientPropertiesEnvironmentPostProcessor
+		implements EnvironmentPostProcessor, Ordered {
+
+	private static final Bindable<Map<String, OAuth2ClientProperties.LoginClientRegistration>> STRING_LEGACY_REGISTRATION_MAP = Bindable
+			.mapOf(String.class, OAuth2ClientProperties.LoginClientRegistration.class);
+
+	private static final String PREFIX = "spring.security.oauth2.client.registration";
+
+	private static final String LOGIN_REGISTRATION_PREFIX = PREFIX + ".login.";
+
+	private static final String UPDATED_PROPERTY_SOURCE_SUFFIX = "-updated-oauth-client";
+
+	private int order = ConfigFileApplicationListener.DEFAULT_ORDER + 1;
+
+	@Override
+	public void postProcessEnvironment(ConfigurableEnvironment environment,
+			SpringApplication application) {
+		environment.getPropertySources().forEach((propertySource) -> {
+			String name = propertySource.getName();
+			Iterable<ConfigurationPropertySource> sources = ConfigurationPropertySources
+					.from(propertySource);
+			ConfigurationPropertySource source = sources.iterator().next();
+			Binder binder = new Binder(sources);
+			Map<String, Object> map = new LinkedHashMap<>();
+			MapPropertySource updatedPropertySource = new MapPropertySource(
+					name + UPDATED_PROPERTY_SOURCE_SUFFIX, map);
+			Map<String, OAuth2ClientProperties.LoginClientRegistration> registrations = binder
+					.bind(PREFIX, STRING_LEGACY_REGISTRATION_MAP)
+					.orElse(Collections.emptyMap());
+			registrations.entrySet()
+					.forEach((entry) -> addProperties(entry, source, map));
+			if (!map.isEmpty()) {
+				environment.getPropertySources().addBefore(name, updatedPropertySource);
+			}
+		});
+	}
+
+	private void addProperties(
+			Map.Entry<String, OAuth2ClientProperties.LoginClientRegistration> entry,
+			ConfigurationPropertySource source, Map<String, Object> map) {
+		OAuth2ClientProperties.LoginClientRegistration registration = entry.getValue();
+		String registrationId = entry.getKey();
+		addProperty(registrationId, "client-id", registration::getClientId, map, source);
+		addProperty(registrationId, "client-secret", registration::getClientSecret, map,
+				source);
+		addProperty(registrationId, "client-name", registration::getClientName, map,
+				source);
+		addProperty(registrationId, "redirect-uri-template",
+				registration::getRedirectUriTemplate, map, source);
+		addProperty(registrationId, "authorization-grant-type",
+				registration::getAuthorizationGrantType, map, source);
+		addProperty(registrationId, "client-authentication-method",
+				registration::getClientAuthenticationMethod, map, source);
+		addProperty(registrationId, "provider", registration::getProvider, map, source);
+		addProperty(registrationId, "scope", registration::getScope, map, source);
+	}
+
+	private void addProperty(String registrationId, String property,
+			Supplier<Object> valueSupplier, Map<String, Object> map,
+			ConfigurationPropertySource source) {
+		String registrationKey = PREFIX + "." + registrationId + ".";
+		String loginRegistrationKey = LOGIN_REGISTRATION_PREFIX + registrationId + ".";
+		if (source.getConfigurationProperty(
+				ConfigurationPropertyName.of(registrationKey + property)) != null) {
+			map.put(loginRegistrationKey + property, valueSupplier.get());
+		}
+	}
+
+	@Override
+	public int getOrder() {
+		return this.order;
+	}
+
+}

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/client/OAuth2ClientPropertiesRegistrationAdapter.java

@@ -20,7 +20,6 @@
 import java.util.Map;
 
 import org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientProperties.Provider;
-import org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientProperties.Registration;
 import org.springframework.boot.context.properties.PropertyMapper;
 import org.springframework.boot.convert.ApplicationConversionService;
 import org.springframework.core.convert.ConversionException;
@@ -51,30 +50,54 @@ private OAuth2ClientPropertiesRegistrationAdapter() {
 	public static Map<String, ClientRegistration> getClientRegistrations(
 			OAuth2ClientProperties properties) {
 		Map<String, ClientRegistration> clientRegistrations = new HashMap<>();
-		properties.getRegistration().forEach((key, value) -> clientRegistrations.put(key,
-				getClientRegistration(key, value, properties.getProvider())));
+		properties.getRegistration().getLogin()
+				.forEach((key, value) -> clientRegistrations.put(key,
+						getLoginClientRegistration(key, value,
+								properties.getProvider())));
+		properties.getRegistration().getAuthorizationCode()
+				.forEach((key, value) -> clientRegistrations.put(key,
+						getAuthorizationCodeClientRegistration(key, value,
+								properties.getProvider())));
 		return clientRegistrations;
 	}
 
-	private static ClientRegistration getClientRegistration(String registrationId,
-			Registration properties, Map<String, Provider> providers) {
+	private static ClientRegistration getAuthorizationCodeClientRegistration(
+			String registrationId,
+			OAuth2ClientProperties.AuthorizationCodeClientRegistration properties,
+			Map<String, Provider> providers) {
+		PropertyMapper map = PropertyMapper.get().alwaysApplyingWhenNonNull();
+		Builder builder = getBuilder(map, registrationId, properties, providers);
+		map.from(properties::getRedirectUri).to(builder::redirectUriTemplate);
+		return builder.build();
+	}
+
+	private static Builder getBuilder(PropertyMapper map, String registrationId,
+			OAuth2ClientProperties.BaseClientRegistration properties,
+			Map<String, Provider> providers) {
 		Builder builder = getBuilderFromIssuerIfPossible(registrationId,
 				properties.getProvider(), providers);
 		if (builder == null) {
 			builder = getBuilder(registrationId, properties.getProvider(), providers);
 		}
-		PropertyMapper map = PropertyMapper.get().alwaysApplyingWhenNonNull();
 		map.from(properties::getClientId).to(builder::clientId);
 		map.from(properties::getClientSecret).to(builder::clientSecret);
 		map.from(properties::getClientAuthenticationMethod)
 				.as(ClientAuthenticationMethod::new)
 				.to(builder::clientAuthenticationMethod);
 		map.from(properties::getAuthorizationGrantType).as(AuthorizationGrantType::new)
 				.to(builder::authorizationGrantType);
-		map.from(properties::getRedirectUriTemplate).to(builder::redirectUriTemplate);
 		map.from(properties::getScope).as((scope) -> StringUtils.toStringArray(scope))
 				.to(builder::scope);
 		map.from(properties::getClientName).to(builder::clientName);
+		return builder;
+	}
+
+	private static ClientRegistration getLoginClientRegistration(String registrationId,
+			OAuth2ClientProperties.LoginClientRegistration properties,
+			Map<String, Provider> providers) {
+		PropertyMapper map = PropertyMapper.get().alwaysApplyingWhenNonNull();
+		Builder builder = getBuilder(map, registrationId, properties, providers);
+		map.from(properties::getRedirectUriTemplate).to(builder::redirectUriTemplate);
 		return builder.build();
 	}
 

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/client/servlet/OAuth2WebSecurityConfiguration.java

@@ -60,7 +60,8 @@ static class OAuth2WebSecurityConfigurerAdapter extends WebSecurityConfigurerAda
 
 		@Override
 		protected void configure(HttpSecurity http) throws Exception {
-			http.authorizeRequests().anyRequest().authenticated().and().oauth2Login();
+			http.authorizeRequests().anyRequest().authenticated().and().oauth2Login()
+					.and().oauth2Client().authorizationCodeGrant();
 		}
 
 	}