OAuth2AuthorizeRequest supports attributes

Fixes gh-7341

Author: jgrandja

config/src/main/java/org/springframework/security/config/annotation/web/reactive/ReactiveOAuth2ClientImportSelector.java

@@ -26,7 +26,7 @@
 import org.springframework.security.oauth2.client.registration.ReactiveClientRegistrationRepository;
 import org.springframework.security.oauth2.client.web.reactive.result.method.annotation.OAuth2AuthorizedClientArgumentResolver;
 import org.springframework.security.oauth2.client.web.server.AuthenticatedPrincipalServerOAuth2AuthorizedClientRepository;
-import org.springframework.security.oauth2.client.web.server.DefaultServerOAuth2AuthorizedClientManager;
+import org.springframework.security.oauth2.client.web.DefaultReactiveOAuth2AuthorizedClientManager;
 import org.springframework.security.oauth2.client.web.server.ServerOAuth2AuthorizedClientRepository;
 import org.springframework.util.ClassUtils;
 import org.springframework.web.reactive.config.WebFluxConfigurer;
@@ -73,7 +73,7 @@ public void configureArgumentResolvers(ArgumentResolverConfigurer configurer) {
 								.clientCredentials()
 								.password()
 								.build();
-				DefaultServerOAuth2AuthorizedClientManager authorizedClientManager = new DefaultServerOAuth2AuthorizedClientManager(
+				DefaultReactiveOAuth2AuthorizedClientManager authorizedClientManager = new DefaultReactiveOAuth2AuthorizedClientManager(
 						this.clientRegistrationRepository, getAuthorizedClientRepository());
 				authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
 				configurer.addCustomResolver(new OAuth2AuthorizedClientArgumentResolver(authorizedClientManager));

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/OAuth2AuthorizeRequest.java

@@ -0,0 +1,198 @@
+/*
+ * Copyright 2002-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.oauth2.client;
+
+import org.springframework.lang.Nullable;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.oauth2.client.registration.ClientRegistration;
+import org.springframework.util.Assert;
+import org.springframework.util.CollectionUtils;
+
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.LinkedHashMap;
+import java.util.Map;
+import java.util.function.Consumer;
+
+/**
+ * Represents a request the {@link OAuth2AuthorizedClientManager} uses to
+ * {@link OAuth2AuthorizedClientManager#authorize(OAuth2AuthorizeRequest) authorize} (or re-authorize)
+ * the {@link ClientRegistration client} identified by the provided {@link #getClientRegistrationId() clientRegistrationId}.
+ *
+ * @author Joe Grandja
+ * @since 5.2
+ * @see OAuth2AuthorizedClientManager
+ */
+public final class OAuth2AuthorizeRequest {
+	private String clientRegistrationId;
+	private OAuth2AuthorizedClient authorizedClient;
+	private Authentication principal;
+	private Map<String, Object> attributes;
+
+	private OAuth2AuthorizeRequest() {
+	}
+
+	/**
+	 * Returns the identifier for the {@link ClientRegistration client registration}.
+	 *
+	 * @return the identifier for the client registration
+	 */
+	public String getClientRegistrationId() {
+		return this.clientRegistrationId;
+	}
+
+	/**
+	 * Returns the {@link OAuth2AuthorizedClient authorized client} or {@code null} if it was not provided.
+	 *
+	 * @return the {@link OAuth2AuthorizedClient} or {@code null} if it was not provided
+	 */
+	@Nullable
+	public OAuth2AuthorizedClient getAuthorizedClient() {
+		return this.authorizedClient;
+	}
+
+	/**
+	 * Returns the {@code Principal} (to be) associated to the authorized client.
+	 *
+	 * @return the {@code Principal} (to be) associated to the authorized client
+	 */
+	public Authentication getPrincipal() {
+		return this.principal;
+	}
+
+	/**
+	 * Returns the attributes associated to the request.
+	 *
+	 * @return a {@code Map} of the attributes associated to the request
+	 */
+	public Map<String, Object> getAttributes() {
+		return this.attributes;
+	}
+
+	/**
+	 * Returns the value of an attribute associated to the request or {@code null} if not available.
+	 *
+	 * @param name the name of the attribute
+	 * @param <T> the type of the attribute
+	 * @return the value of the attribute associated to the request
+	 */
+	@Nullable
+	@SuppressWarnings("unchecked")
+	public <T> T getAttribute(String name) {
+		return (T) this.getAttributes().get(name);
+	}
+
+	/**
+	 * Returns a new {@link Builder} initialized with the identifier for the {@link ClientRegistration client registration}.
+	 *
+	 * @param clientRegistrationId the identifier for the {@link ClientRegistration client registration}
+	 * @return the {@link Builder}
+	 */
+	public static Builder withClientRegistrationId(String clientRegistrationId) {
+		return new Builder(clientRegistrationId);
+	}
+
+	/**
+	 * Returns a new {@link Builder} initialized with the {@link OAuth2AuthorizedClient authorized client}.
+	 *
+	 * @param authorizedClient the {@link OAuth2AuthorizedClient authorized client}
+	 * @return the {@link Builder}
+	 */
+	public static Builder withAuthorizedClient(OAuth2AuthorizedClient authorizedClient) {
+		return new Builder(authorizedClient);
+	}
+
+	/**
+	 * A builder for {@link OAuth2AuthorizeRequest}.
+	 */
+	public static class Builder {
+		private String clientRegistrationId;
+		private OAuth2AuthorizedClient authorizedClient;
+		private Authentication principal;
+		private Map<String, Object> attributes;
+
+		private Builder(String clientRegistrationId) {
+			Assert.hasText(clientRegistrationId, "clientRegistrationId cannot be empty");
+			this.clientRegistrationId = clientRegistrationId;
+		}
+
+		private Builder(OAuth2AuthorizedClient authorizedClient) {
+			Assert.notNull(authorizedClient, "authorizedClient cannot be null");
+			this.authorizedClient = authorizedClient;
+		}
+
+		/**
+		 * Sets the {@code Principal} (to be) associated to the authorized client.
+		 *
+		 * @param principal the {@code Principal} (to be) associated to the authorized client
+		 * @return the {@link Builder}
+		 */
+		public Builder principal(Authentication principal) {
+			this.principal = principal;
+			return this;
+		}
+
+		/**
+		 * Provides a {@link Consumer} access to the attributes associated to the request.
+		 *
+		 * @param attributesConsumer a {@link Consumer} of the attributes associated to the request
+		 * @return the {@link Builder}
+		 */
+		public Builder attributes(Consumer<Map<String, Object>> attributesConsumer) {
+			if (this.attributes == null) {
+				this.attributes = new HashMap<>();
+			}
+			attributesConsumer.accept(this.attributes);
+			return this;
+		}
+
+		/**
+		 * Sets an attribute associated to the request.
+		 *
+		 * @param name the name of the attribute
+		 * @param value the value of the attribute
+		 * @return the {@link Builder}
+		 */
+		public Builder attribute(String name, Object value) {
+			if (this.attributes == null) {
+				this.attributes = new HashMap<>();
+			}
+			this.attributes.put(name, value);
+			return this;
+		}
+
+		/**
+		 * Builds a new {@link OAuth2AuthorizeRequest}.
+		 *
+		 * @return a {@link OAuth2AuthorizeRequest}
+		 */
+		public OAuth2AuthorizeRequest build() {
+			Assert.notNull(this.principal, "principal cannot be null");
+			OAuth2AuthorizeRequest authorizeRequest = new OAuth2AuthorizeRequest();
+			if (this.authorizedClient != null) {
+				authorizeRequest.clientRegistrationId = this.authorizedClient.getClientRegistration().getRegistrationId();
+				authorizeRequest.authorizedClient = this.authorizedClient;
+			} else {
+				authorizeRequest.clientRegistrationId = this.clientRegistrationId;
+			}
+			authorizeRequest.principal = this.principal;
+			authorizeRequest.attributes = Collections.unmodifiableMap(
+					CollectionUtils.isEmpty(this.attributes) ?
+							Collections.emptyMap() : new LinkedHashMap<>(this.attributes));
+			return authorizeRequest;
+		}
+	}
+}

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizedClientManager.java renamed to oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/OAuth2AuthorizedClientManager.java

@@ -13,12 +13,11 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package org.springframework.security.oauth2.client.web;
+package org.springframework.security.oauth2.client;
 
 import org.springframework.lang.Nullable;
-import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
-import org.springframework.security.oauth2.client.OAuth2AuthorizedClientProvider;
 import org.springframework.security.oauth2.client.registration.ClientRegistration;
+import org.springframework.security.oauth2.client.web.OAuth2AuthorizedClientRepository;
 
 /**
  * Implementations of this interface are responsible for the overall management
@@ -30,13 +29,14 @@
  *  <li>Authorizing (or re-authorizing) an OAuth 2.0 Client
  *  	by leveraging an {@link OAuth2AuthorizedClientProvider}(s).</li>
  *  <li>Managing the persistence of an {@link OAuth2AuthorizedClient} between requests,
- *  	typically using an {@link OAuth2AuthorizedClientRepository}.</li>
+ *  	typically using an {@link OAuth2AuthorizedClientService} OR {@link OAuth2AuthorizedClientRepository}.</li>
  * </ol>
  *
  * @author Joe Grandja
  * @since 5.2
  * @see OAuth2AuthorizedClient
  * @see OAuth2AuthorizedClientProvider
+ * @see OAuth2AuthorizedClientService
  * @see OAuth2AuthorizedClientRepository
  */
 public interface OAuth2AuthorizedClientManager {

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/server/ServerOAuth2AuthorizedClientManager.java renamed to oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/ReactiveOAuth2AuthorizedClientManager.java

@@ -13,11 +13,10 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package org.springframework.security.oauth2.client.web.server;
+package org.springframework.security.oauth2.client;
 
-import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
-import org.springframework.security.oauth2.client.ReactiveOAuth2AuthorizedClientProvider;
 import org.springframework.security.oauth2.client.registration.ClientRegistration;
+import org.springframework.security.oauth2.client.web.server.ServerOAuth2AuthorizedClientRepository;
 import reactor.core.publisher.Mono;
 
 /**
@@ -30,33 +29,34 @@
  *  <li>Authorizing (or re-authorizing) an OAuth 2.0 Client
  *  	by leveraging a {@link ReactiveOAuth2AuthorizedClientProvider}(s).</li>
  *  <li>Managing the persistence of an {@link OAuth2AuthorizedClient} between requests,
- *  	typically using an {@link ServerOAuth2AuthorizedClientRepository}.</li>
+ *  	typically using a {@link ReactiveOAuth2AuthorizedClientService} OR {@link ServerOAuth2AuthorizedClientRepository}.</li>
  * </ol>
  *
  * @author Joe Grandja
  * @since 5.2
  * @see OAuth2AuthorizedClient
  * @see ReactiveOAuth2AuthorizedClientProvider
+ * @see ReactiveOAuth2AuthorizedClientService
  * @see ServerOAuth2AuthorizedClientRepository
  */
-public interface ServerOAuth2AuthorizedClientManager {
+public interface ReactiveOAuth2AuthorizedClientManager {
 
 	/**
 	 * Attempt to authorize or re-authorize (if required) the {@link ClientRegistration client}
-	 * identified by the provided {@link ServerOAuth2AuthorizeRequest#getClientRegistrationId() clientRegistrationId}.
+	 * identified by the provided {@link OAuth2AuthorizeRequest#getClientRegistrationId() clientRegistrationId}.
 	 * Implementations must return an empty {@code Mono} if authorization is not supported for the specified client,
 	 * e.g. the associated {@link ReactiveOAuth2AuthorizedClientProvider}(s) does not support
 	 * the {@link ClientRegistration#getAuthorizationGrantType() authorization grant} type configured for the client.
 	 *
 	 * <p>
-	 * In the case of re-authorization, implementations must return the provided {@link ServerOAuth2AuthorizeRequest#getAuthorizedClient() authorized client}
+	 * In the case of re-authorization, implementations must return the provided {@link OAuth2AuthorizeRequest#getAuthorizedClient() authorized client}
 	 * if re-authorization is not supported for the client OR is not required,
 	 * e.g. a {@link OAuth2AuthorizedClient#getRefreshToken() refresh token} is not available OR
 	 * the {@link OAuth2AuthorizedClient#getAccessToken() access token} is not expired.
 	 *
 	 * @param authorizeRequest the authorize request
 	 * @return the {@link OAuth2AuthorizedClient} or an empty {@code Mono} if authorization is not supported for the specified client
 	 */
-	Mono<OAuth2AuthorizedClient> authorize(ServerOAuth2AuthorizeRequest authorizeRequest);
+	Mono<OAuth2AuthorizedClient> authorize(OAuth2AuthorizeRequest authorizeRequest);
 
 }

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/DefaultOAuth2AuthorizedClientManager.java

@@ -18,16 +18,21 @@
 import org.springframework.lang.Nullable;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.oauth2.client.OAuth2AuthorizationContext;
+import org.springframework.security.oauth2.client.OAuth2AuthorizeRequest;
 import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
+import org.springframework.security.oauth2.client.OAuth2AuthorizedClientManager;
 import org.springframework.security.oauth2.client.OAuth2AuthorizedClientProvider;
 import org.springframework.security.oauth2.client.registration.ClientRegistration;
 import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
 import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
 import org.springframework.util.Assert;
 import org.springframework.util.StringUtils;
+import org.springframework.web.context.request.RequestContextHolder;
+import org.springframework.web.context.request.ServletRequestAttributes;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.function.Function;
@@ -68,8 +73,11 @@ public OAuth2AuthorizedClient authorize(OAuth2AuthorizeRequest authorizeRequest)
 		String clientRegistrationId = authorizeRequest.getClientRegistrationId();
 		OAuth2AuthorizedClient authorizedClient = authorizeRequest.getAuthorizedClient();
 		Authentication principal = authorizeRequest.getPrincipal();
-		HttpServletRequest servletRequest = authorizeRequest.getServletRequest();
-		HttpServletResponse servletResponse = authorizeRequest.getServletResponse();
+
+		HttpServletRequest servletRequest = getHttpServletRequestOrDefault(authorizeRequest.getAttributes());
+		Assert.notNull(servletRequest, "servletRequest cannot be null");
+		HttpServletResponse servletResponse = getHttpServletResponseOrDefault(authorizeRequest.getAttributes());
+		Assert.notNull(servletResponse, "servletResponse cannot be null");
 
 		OAuth2AuthorizationContext.Builder contextBuilder;
 		if (authorizedClient != null) {
@@ -104,6 +112,28 @@ public OAuth2AuthorizedClient authorize(OAuth2AuthorizeRequest authorizeRequest)
 		return authorizedClient;
 	}
 
+	private static HttpServletRequest getHttpServletRequestOrDefault(Map<String, Object> attributes) {
+		HttpServletRequest servletRequest = (HttpServletRequest) attributes.get(HttpServletRequest.class.getName());
+		if (servletRequest == null) {
+			ServletRequestAttributes context = (ServletRequestAttributes) RequestContextHolder.getRequestAttributes();
+			if (context != null) {
+				servletRequest = context.getRequest();
+			}
+		}
+		return servletRequest;
+	}
+
+	private static HttpServletResponse getHttpServletResponseOrDefault(Map<String, Object> attributes) {
+		HttpServletResponse servletResponse = (HttpServletResponse) attributes.get(HttpServletResponse.class.getName());
+		if (servletResponse == null) {
+			ServletRequestAttributes context = (ServletRequestAttributes) RequestContextHolder.getRequestAttributes();
+			if (context != null) {
+				servletResponse = context.getResponse();
+			}
+		}
+		return servletResponse;
+	}
+
 	/**
 	 * Sets the {@link OAuth2AuthorizedClientProvider} used for authorizing (or re-authorizing) an OAuth 2.0 Client.
 	 *
@@ -133,9 +163,11 @@ public static class DefaultContextAttributesMapper implements Function<OAuth2Aut
 
 		@Override
 		public Map<String, Object> apply(OAuth2AuthorizeRequest authorizeRequest) {
-			Map<String, Object> contextAttributes = new HashMap<>();
-			String scope = authorizeRequest.getServletRequest().getParameter(OAuth2ParameterNames.SCOPE);
+			Map<String, Object> contextAttributes = Collections.emptyMap();
+			HttpServletRequest servletRequest = getHttpServletRequestOrDefault(authorizeRequest.getAttributes());
+			String scope = servletRequest.getParameter(OAuth2ParameterNames.SCOPE);
 			if (StringUtils.hasText(scope)) {
+				contextAttributes = new HashMap<>();
 				contextAttributes.put(OAuth2AuthorizationContext.REQUEST_SCOPE_ATTRIBUTE_NAME,
 						StringUtils.delimitedListToStringArray(scope, " "));
 			}