Skip to content

Commit fc24c79

Browse files
mayur9991jgrandja
mayur9991
authored and
jgrandja
committed
Allow null or empty authorities for DefaultOAuth2User
Make DefaultOAuth2User more inline with other part of spring-security. For example, - DefaultOAuth2AuthenticatedPrincipal - AbstractAuthenticationToken Closes gh-9366
1 parent 42013ee commit fc24c79

File tree

3 files changed

+44
-22
lines changed

3 files changed

+44
-22
lines changed

oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/user/DefaultOAuth2User.java

+5-3
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
/*
2-
* Copyright 2002-2019 the original author or authors.
2+
* Copyright 2002-2021 the original author or authors.
33
*
44
* Licensed under the Apache License, Version 2.0 (the "License");
55
* you may not use this file except in compliance with the License.
@@ -29,6 +29,7 @@
2929

3030
import org.springframework.security.core.GrantedAuthority;
3131
import org.springframework.security.core.SpringSecurityCoreVersion;
32+
import org.springframework.security.core.authority.AuthorityUtils;
3233
import org.springframework.util.Assert;
3334

3435
/**
@@ -65,13 +66,14 @@ public class DefaultOAuth2User implements OAuth2User, Serializable {
6566
*/
6667
public DefaultOAuth2User(Collection<? extends GrantedAuthority> authorities, Map<String, Object> attributes,
6768
String nameAttributeKey) {
68-
Assert.notEmpty(authorities, "authorities cannot be empty");
6969
Assert.notEmpty(attributes, "attributes cannot be empty");
7070
Assert.hasText(nameAttributeKey, "nameAttributeKey cannot be empty");
7171
if (!attributes.containsKey(nameAttributeKey)) {
7272
throw new IllegalArgumentException("Missing attribute '" + nameAttributeKey + "' in attributes");
7373
}
74-
this.authorities = Collections.unmodifiableSet(new LinkedHashSet<>(this.sortAuthorities(authorities)));
74+
this.authorities = (authorities != null)
75+
? Collections.unmodifiableSet(new LinkedHashSet<>(this.sortAuthorities(authorities)))
76+
: Collections.unmodifiableSet(new LinkedHashSet<>(AuthorityUtils.NO_AUTHORITIES));
7577
this.attributes = Collections.unmodifiableMap(new LinkedHashMap<>(attributes));
7678
this.nameAttributeKey = nameAttributeKey;
7779
}

oauth2/oauth2-core/src/test/java/org/springframework/security/oauth2/core/oidc/user/DefaultOidcUserTests.java

+22-6
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
/*
2-
* Copyright 2002-2017 the original author or authors.
2+
* Copyright 2002-2021 the original author or authors.
33
*
44
* Licensed under the Apache License, Version 2.0 (the "License");
55
* you may not use this file except in compliance with the License.
@@ -25,6 +25,7 @@
2525
import org.junit.Test;
2626

2727
import org.springframework.security.core.GrantedAuthority;
28+
import org.springframework.security.core.authority.AuthorityUtils;
2829
import org.springframework.security.core.authority.SimpleGrantedAuthority;
2930
import org.springframework.security.oauth2.core.oidc.IdTokenClaimNames;
3031
import org.springframework.security.oauth2.core.oidc.OidcIdToken;
@@ -66,11 +67,6 @@ public class DefaultOidcUserTests {
6667

6768
private static final OidcUserInfo USER_INFO = new OidcUserInfo(USER_INFO_CLAIMS);
6869

69-
@Test
70-
public void constructorWhenAuthoritiesIsNullThenThrowIllegalArgumentException() {
71-
assertThatIllegalArgumentException().isThrownBy(() -> new DefaultOidcUser(null, ID_TOKEN));
72-
}
73-
7470
@Test
7571
public void constructorWhenIdTokenIsNullThenThrowIllegalArgumentException() {
7672
assertThatIllegalArgumentException().isThrownBy(() -> new DefaultOidcUser(AUTHORITIES, null));
@@ -81,6 +77,26 @@ public void constructorWhenNameAttributeKeyInvalidThenThrowIllegalArgumentExcept
8177
assertThatIllegalArgumentException().isThrownBy(() -> new DefaultOidcUser(AUTHORITIES, ID_TOKEN, "invalid"));
8278
}
8379

80+
@Test
81+
public void constructorWhenAuthoritiesIsNullThenCreatedWithEmptyAuthorities() {
82+
DefaultOidcUser user = new DefaultOidcUser(null, ID_TOKEN);
83+
assertThat(user.getClaims()).containsOnlyKeys(IdTokenClaimNames.ISS, IdTokenClaimNames.SUB);
84+
assertThat(user.getIdToken()).isEqualTo(ID_TOKEN);
85+
assertThat(user.getName()).isEqualTo(SUBJECT);
86+
assertThat(user.getAuthorities()).isEmpty();
87+
assertThat(user.getAttributes()).containsOnlyKeys(IdTokenClaimNames.ISS, IdTokenClaimNames.SUB);
88+
}
89+
90+
@Test
91+
public void constructorWhenAuthoritiesIsEmptyThenCreated() {
92+
DefaultOidcUser user = new DefaultOidcUser(AuthorityUtils.NO_AUTHORITIES, ID_TOKEN);
93+
assertThat(user.getClaims()).containsOnlyKeys(IdTokenClaimNames.ISS, IdTokenClaimNames.SUB);
94+
assertThat(user.getIdToken()).isEqualTo(ID_TOKEN);
95+
assertThat(user.getName()).isEqualTo(SUBJECT);
96+
assertThat(user.getAuthorities()).isEmpty();
97+
assertThat(user.getAttributes()).containsOnlyKeys(IdTokenClaimNames.ISS, IdTokenClaimNames.SUB);
98+
}
99+
84100
@Test
85101
public void constructorWhenAuthoritiesIdTokenProvidedThenCreated() {
86102
DefaultOidcUser user = new DefaultOidcUser(AUTHORITIES, ID_TOKEN);

oauth2/oauth2-core/src/test/java/org/springframework/security/oauth2/core/user/DefaultOAuth2UserTests.java

+17-13
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
/*
2-
* Copyright 2002-2017 the original author or authors.
2+
* Copyright 2002-2021 the original author or authors.
33
*
44
* Licensed under the Apache License, Version 2.0 (the "License");
55
* you may not use this file except in compliance with the License.
@@ -47,18 +47,6 @@ public class DefaultOAuth2UserTests {
4747

4848
private static final Map<String, Object> ATTRIBUTES = Collections.singletonMap(ATTRIBUTE_NAME_KEY, USERNAME);
4949

50-
@Test
51-
public void constructorWhenAuthoritiesIsNullThenThrowIllegalArgumentException() {
52-
assertThatIllegalArgumentException()
53-
.isThrownBy(() -> new DefaultOAuth2User(null, ATTRIBUTES, ATTRIBUTE_NAME_KEY));
54-
}
55-
56-
@Test
57-
public void constructorWhenAuthoritiesIsEmptyThenThrowIllegalArgumentException() {
58-
assertThatIllegalArgumentException()
59-
.isThrownBy(() -> new DefaultOAuth2User(Collections.emptySet(), ATTRIBUTES, ATTRIBUTE_NAME_KEY));
60-
}
61-
6250
@Test
6351
public void constructorWhenAttributesIsNullThenThrowIllegalArgumentException() {
6452
assertThatIllegalArgumentException()
@@ -82,6 +70,22 @@ public void constructorWhenNameAttributeKeyIsInvalidThenThrowIllegalArgumentExce
8270
.isThrownBy(() -> new DefaultOAuth2User(AUTHORITIES, ATTRIBUTES, "invalid"));
8371
}
8472

73+
@Test
74+
public void constructorWhenAuthoritiesIsNullThenCreatedWithEmptyAuthorities() {
75+
DefaultOAuth2User user = new DefaultOAuth2User(null, ATTRIBUTES, ATTRIBUTE_NAME_KEY);
76+
assertThat(user.getName()).isEqualTo(USERNAME);
77+
assertThat(user.getAuthorities()).isEmpty();
78+
assertThat(user.getAttributes()).containsOnlyKeys(ATTRIBUTE_NAME_KEY);
79+
}
80+
81+
@Test
82+
public void constructorWhenAuthoritiesIsEmptyThenCreated() {
83+
DefaultOAuth2User user = new DefaultOAuth2User(Collections.emptySet(), ATTRIBUTES, ATTRIBUTE_NAME_KEY);
84+
assertThat(user.getName()).isEqualTo(USERNAME);
85+
assertThat(user.getAuthorities()).isEmpty();
86+
assertThat(user.getAttributes()).containsOnlyKeys(ATTRIBUTE_NAME_KEY);
87+
}
88+
8589
@Test
8690
public void constructorWhenAllParametersProvidedAndValidThenCreated() {
8791
DefaultOAuth2User user = new DefaultOAuth2User(AUTHORITIES, ATTRIBUTES, ATTRIBUTE_NAME_KEY);

0 commit comments

Comments
 (0)