scopes_supported metadata not used as default in ClientRegistrations

martin-v · jgrandja · commit 0486d5add983 · 2020-08-20T08:09:54.000-04:00
Closes gh-8514
diff --git a/config/src/test/java/org/springframework/security/config/oauth2/client/ClientRegistrationsBeanDefinitionParserTests.java b/config/src/test/java/org/springframework/security/config/oauth2/client/ClientRegistrationsBeanDefinitionParserTests.java
@@ -152,7 +152,7 @@ public void parseWhenIssuerUriConfiguredThenRequestConfigFromIssuer() throws Exc
 		assertThat(googleRegistration.getClientAuthenticationMethod()).isEqualTo(ClientAuthenticationMethod.BASIC);
 		assertThat(googleRegistration.getAuthorizationGrantType()).isEqualTo(AuthorizationGrantType.AUTHORIZATION_CODE);
 		assertThat(googleRegistration.getRedirectUri()).isEqualTo("{baseUrl}/{action}/oauth2/code/{registrationId}");
-		assertThat(googleRegistration.getScopes()).isEqualTo(StringUtils.commaDelimitedListToSet("openid,profile,email"));
+		assertThat(googleRegistration.getScopes()).isNull();
 		assertThat(googleRegistration.getClientName()).isEqualTo(serverUrl);
 
 		ProviderDetails googleProviderDetails = googleRegistration.getProviderDetails();
diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/registration/ClientRegistrations.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/registration/ClientRegistrations.java
@@ -25,7 +25,6 @@
 
 import com.nimbusds.oauth2.sdk.GrantType;
 import com.nimbusds.oauth2.sdk.ParseException;
-import com.nimbusds.oauth2.sdk.Scope;
 import com.nimbusds.oauth2.sdk.as.AuthorizationServerMetadata;
 import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
 import net.minidev.json.JSONObject;
@@ -35,7 +34,6 @@
 import org.springframework.security.oauth2.core.AuthorizationGrantType;
 import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
 import org.springframework.security.oauth2.core.oidc.IdTokenClaimNames;
-import org.springframework.security.oauth2.core.oidc.OidcScopes;
 import org.springframework.util.Assert;
 import org.springframework.web.client.HttpClientErrorException;
 import org.springframework.web.client.RestTemplate;
@@ -236,12 +234,10 @@ private static ClientRegistration.Builder withProviderConfiguration(Authorizatio
 			throw new IllegalArgumentException("Only AuthorizationGrantType.AUTHORIZATION_CODE is supported. The issuer \"" + issuer +
 					"\" returned a configuration of " + grantTypes);
 		}
-		List<String> scopes = getScopes(metadata);
 		Map<String, Object> configurationMetadata = new LinkedHashMap<>(metadata.toJSONObject());
 
 		return ClientRegistration.withRegistrationId(name)
 				.userNameAttributeName(IdTokenClaimNames.SUB)
-				.scope(scopes)
 				.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
 				.clientAuthenticationMethod(method)
 				.redirectUri("{baseUrl}/{action}/oauth2/code/{registrationId}")
@@ -268,16 +264,6 @@ private static ClientAuthenticationMethod getClientAuthenticationMethod(String i
 				+ "ClientAuthenticationMethod.NONE are supported. The issuer \"" + issuer + "\" returned a configuration of " + metadataAuthMethods);
 	}
 
-	private static List<String> getScopes(AuthorizationServerMetadata metadata) {
-		Scope scope = metadata.getScopes();
-		if (scope == null) {
-			// If null, default to "openid" which must be supported
-			return Collections.singletonList(OidcScopes.OPENID);
-		} else {
-			return scope.toStringList();
-		}
-	}
-
 	private ClientRegistrations() {}
 
 }
diff --git a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/registration/ClientRegistrationsTest.java b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/registration/ClientRegistrationsTest.java
@@ -158,7 +158,7 @@ private void assertIssuerMetadata(ClientRegistration registration,
 		assertThat(registration.getAuthorizationGrantType()).isEqualTo(AuthorizationGrantType.AUTHORIZATION_CODE);
 		assertThat(registration.getRegistrationId()).isEqualTo(this.server.getHostName());
 		assertThat(registration.getClientName()).isEqualTo(this.issuer);
-		assertThat(registration.getScopes()).containsOnly("openid", "email", "profile");
+		assertThat(registration.getScopes()).isNull();
 		assertThat(provider.getAuthorizationUri()).isEqualTo("https://example.com/o/oauth2/v2/auth");
 		assertThat(provider.getTokenUri()).isEqualTo("https://example.com/oauth2/v4/token");
 		assertThat(provider.getJwkSetUri()).isEqualTo("https://example.com/oauth2/v3/certs");
@@ -222,41 +222,6 @@ public void issuerWhenOAuth2ContainsTrailingSlashThenSuccess() throws Exception
 		assertThat(this.issuer).endsWith("/");
 	}
 
-	/**
-	 * https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
-	 *
-	 * RECOMMENDED. JSON array containing a list of the OAuth 2.0 [RFC6749] scope values that this server supports. The
-	 * server MUST support the openid scope value.
-	 * @throws Exception
-	 */
-	@Test
-	public void issuerWhenScopesNullThenScopesDefaulted() throws Exception {
-		this.response.remove("scopes_supported");
-
-		ClientRegistration registration = registration("").build();
-
-		assertThat(registration.getScopes()).containsOnly("openid");
-	}
-
-	@Test
-	public void issuerWhenOidcFallbackScopesNullThenScopesDefaulted() throws Exception {
-		this.response.remove("scopes_supported");
-
-		ClientRegistration registration = registrationOidcFallback("", null).build();
-
-		assertThat(registration.getScopes()).containsOnly("openid");
-	}
-
-	@Test
-	public void issuerWhenOAuth2ScopesNullThenScopesDefaulted() throws Exception {
-		this.response.remove("scopes_supported");
-
-		ClientRegistration registration = registrationOAuth2("", null).build();
-
-		assertThat(registration.getScopes()).containsOnly("openid");
-	}
-
-
 	@Test
 	public void issuerWhenGrantTypesSupportedNullThenDefaulted() throws Exception {
 		this.response.remove("grant_types_supported");
