spring-projects · sjohnr · Oct 5, 2021 · Sep 24, 2021
diff --git a/...ringframework/security/oauth2/client/JwtBearerReactiveOAuth2AuthorizedClientProvider.java b/...ringframework/security/oauth2/client/JwtBearerReactiveOAuth2AuthorizedClientProvider.java
@@ -0,0 +1,145 @@
+/*
+ * Copyright 2002-2021 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.oauth2.client;
+
+import java.time.Clock;
+import java.time.Duration;
+import java.time.Instant;
+
+import reactor.core.publisher.Mono;
+
+import org.springframework.security.oauth2.client.endpoint.JwtBearerGrantRequest;
+import org.springframework.security.oauth2.client.endpoint.ReactiveOAuth2AccessTokenResponseClient;
+import org.springframework.security.oauth2.client.endpoint.WebClientReactiveJwtBearerTokenResponseClient;
+import org.springframework.security.oauth2.client.registration.ClientRegistration;
+import org.springframework.security.oauth2.core.AuthorizationGrantType;
+import org.springframework.security.oauth2.core.OAuth2AuthorizationException;
+import org.springframework.security.oauth2.core.OAuth2Token;
+import org.springframework.security.oauth2.jwt.Jwt;
+import org.springframework.util.Assert;
+
+/**
+ * An implementation of an {@link ReactiveOAuth2AuthorizedClientProvider} for the
+ * {@link AuthorizationGrantType#JWT_BEARER jwt-bearer} grant.
+ *
+ * @author Steve Riesenberg
+ * @since 5.6
+ * @see ReactiveOAuth2AuthorizedClientProvider
+ * @see WebClientReactiveJwtBearerTokenResponseClient
+ */
+public final class JwtBearerReactiveOAuth2AuthorizedClientProvider implements ReactiveOAuth2AuthorizedClientProvider {
+
+	private ReactiveOAuth2AccessTokenResponseClient<JwtBearerGrantRequest> accessTokenResponseClient = new WebClientReactiveJwtBearerTokenResponseClient();
+
+	private Duration clockSkew = Duration.ofSeconds(60);
+
+	private Clock clock = Clock.systemUTC();
+
+	/**
+	 * Attempt to authorize (or re-authorize) the
+	 * {@link OAuth2AuthorizationContext#getClientRegistration() client} in the provided
+	 * {@code context}. Returns an empty {@code Mono} if authorization (or
+	 * re-authorization) is not supported, e.g. the client's
+	 * {@link ClientRegistration#getAuthorizationGrantType() authorization grant type} is
+	 * not {@link AuthorizationGrantType#JWT_BEARER jwt-bearer} OR the
+	 * {@link OAuth2AuthorizedClient#getAccessToken() access token} is not expired.
+	 * @param context the context that holds authorization-specific state for the client
+	 * @return the {@link OAuth2AuthorizedClient} or an empty {@code Mono} if
+	 * authorization is not supported
+	 */
+	@Override
+	public Mono<OAuth2AuthorizedClient> authorize(OAuth2AuthorizationContext context) {
+		Assert.notNull(context, "context cannot be null");
+		ClientRegistration clientRegistration = context.getClientRegistration();
+		if (!AuthorizationGrantType.JWT_BEARER.equals(clientRegistration.getAuthorizationGrantType())) {
+			return Mono.empty();
+		}
+		OAuth2AuthorizedClient authorizedClient = context.getAuthorizedClient();
+		if (authorizedClient != null && !hasTokenExpired(authorizedClient.getAccessToken())) {
+			// If client is already authorized but access token is NOT expired than no
+			// need for re-authorization
+			return Mono.empty();
+		}
+		if (!(context.getPrincipal().getPrincipal() instanceof Jwt)) {
+			return Mono.empty();
+		}
+		Jwt jwt = (Jwt) context.getPrincipal().getPrincipal();
+		// As per spec, in section 4.1 Using Assertions as Authorization Grants
+		// https://tools.ietf.org/html/rfc7521#section-4.1
+		//
+		// An assertion used in this context is generally a short-lived
+		// representation of the authorization grant, and authorization servers
+		// SHOULD NOT issue access tokens with a lifetime that exceeds the
+		// validity period of the assertion by a significant period. In
+		// practice, that will usually mean that refresh tokens are not issued
+		// in response to assertion grant requests, and access tokens will be
+		// issued with a reasonably short lifetime. Clients can refresh an
+		// expired access token by requesting a new one using the same
+		// assertion, if it is still valid, or with a new assertion.
+		return Mono.just(new JwtBearerGrantRequest(clientRegistration, jwt))
+				.flatMap(this.accessTokenResponseClient::getTokenResponse)
+				.onErrorMap(OAuth2AuthorizationException.class,
+						(ex) -> new ClientAuthorizationException(ex.getError(), clientRegistration.getRegistrationId(),
+								ex))
+				.map((tokenResponse) -> new OAuth2AuthorizedClient(clientRegistration, context.getPrincipal().getName(),
+						tokenResponse.getAccessToken()));
+	}
+
+	private boolean hasTokenExpired(OAuth2Token token) {
+		return this.clock.instant().isAfter(token.getExpiresAt().minus(this.clockSkew));
+	}
+
+	/**
+	 * Sets the client used when requesting an access token credential at the Token
+	 * Endpoint for the {@code jwt-bearer} grant.
+	 * @param accessTokenResponseClient the client used when requesting an access token
+	 * credential at the Token Endpoint for the {@code jwt-bearer} grant
+	 */
+	public void setAccessTokenResponseClient(
+			ReactiveOAuth2AccessTokenResponseClient<JwtBearerGrantRequest> accessTokenResponseClient) {
+		Assert.notNull(accessTokenResponseClient, "accessTokenResponseClient cannot be null");
+		this.accessTokenResponseClient = accessTokenResponseClient;
+	}
+
+	/**
+	 * Sets the maximum acceptable clock skew, which is used when checking the
+	 * {@link OAuth2AuthorizedClient#getAccessToken() access token} expiry. The default is
+	 * 60 seconds.
+	 *
+	 * <p>
+	 * An access token is considered expired if
+	 * {@code OAuth2AccessToken#getExpiresAt() - clockSkew} is before the current time
+	 * {@code clock#instant()}.
+	 * @param clockSkew the maximum acceptable clock skew
+	 */
+	public void setClockSkew(Duration clockSkew) {
+		Assert.notNull(clockSkew, "clockSkew cannot be null");
+		Assert.isTrue(clockSkew.getSeconds() >= 0, "clockSkew must be >= 0");
+		this.clockSkew = clockSkew;
+	}
+
+	/**
+	 * Sets the {@link Clock} used in {@link Instant#now(Clock)} when checking the access
+	 * token expiry.
+	 * @param clock the clock
+	 */
+	public void setClock(Clock clock) {
+		Assert.notNull(clock, "clock cannot be null");
+		this.clock = clock;
+	}
+
+}
diff --git a/...mework/security/oauth2/client/endpoint/WebClientReactiveJwtBearerTokenResponseClient.java b/...mework/security/oauth2/client/endpoint/WebClientReactiveJwtBearerTokenResponseClient.java
@@ -0,0 +1,64 @@
+/*
+ * Copyright 2002-2021 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.oauth2.client.endpoint;
+
+import java.util.Set;
+
+import org.springframework.security.oauth2.client.registration.ClientRegistration;
+import org.springframework.security.oauth2.core.AuthorizationGrantType;
+import org.springframework.security.oauth2.core.OAuth2AccessToken;
+import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
+import org.springframework.web.reactive.function.BodyInserters;
+import org.springframework.web.reactive.function.client.WebClient;
+
+/**
+ * The default implementation of an {@link ReactiveOAuth2AccessTokenResponseClient} for
+ * the {@link AuthorizationGrantType#JWT_BEARER jwt-bearer} grant. This implementation
+ * uses {@link WebClient} when requesting an access token credential at the Authorization
+ * Server's Token Endpoint.
+ *
+ * @author Steve Riesenberg
+ * @since 5.6
+ * @see ReactiveOAuth2AccessTokenResponseClient
+ * @see JwtBearerGrantRequest
+ * @see OAuth2AccessToken
+ * @see <a target="_blank" href="https://tools.ietf.org/html/rfc7523#section-2.1">Section
+ * 2.1 Using JWTs as Authorization Grants</a>
+ * @see <a target="_blank" href="https://tools.ietf.org/html/rfc7521#section-4.1">Section
+ * 4.1 Using Assertions as Authorization Grants</a>
+ */
+public final class WebClientReactiveJwtBearerTokenResponseClient
+		extends AbstractWebClientReactiveOAuth2AccessTokenResponseClient<JwtBearerGrantRequest> {
+
+	@Override
+	ClientRegistration clientRegistration(JwtBearerGrantRequest grantRequest) {
+		return grantRequest.getClientRegistration();
+	}
+
+	@Override
+	Set<String> scopes(JwtBearerGrantRequest grantRequest) {
+		return grantRequest.getClientRegistration().getScopes();
+	}
+
+	@Override
+	BodyInserters.FormInserter<String> populateTokenRequestBody(JwtBearerGrantRequest grantRequest,
+			BodyInserters.FormInserter<String> body) {
+		return super.populateTokenRequestBody(grantRequest, body).with(OAuth2ParameterNames.ASSERTION,
+				grantRequest.getJwt().getTokenValue());
+	}
+
+}