Skip to content

Adding nonce to Authentication Request #4442 #4628

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed

Adding nonce to Authentication Request #4442 #4628

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions ...rg/springframework/security/oauth2/client/web/AuthorizationCodeRequestRedirectFilter.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -122,6 +122,8 @@ protected void sendRedirectForAuthorizationCode(HttpServletRequest request, Http
throw new IllegalArgumentException("Invalid Client Identifier (Registration Id): " + registrationId);
}

String nonce = request.getParameter(OAuth2Parameter.NONCE);

String redirectUriStr = this.expandRedirectUri(request, clientRegistration);

Map<String,Object> additionalParameters = new HashMap<>();
Expand All @@ -134,6 +136,7 @@ protected void sendRedirectForAuthorizationCode(HttpServletRequest request, Http
.redirectUri(redirectUriStr)
.scope(clientRegistration.getScope())
.state(this.stateGenerator.generateKey())
.nonce(nonce)
.additionalParameters(additionalParameters)
.build();

Expand Down
1 change: 1 addition & 0 deletions ...n/java/org/springframework/security/oauth2/client/web/AuthorizationRequestUriBuilder.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@
* <li>response type (required)</li>
* <li>requested scope(s) (optional)</li>
* <li>state (recommended)</li>
* <li>nonce (recommended)</li>
* <li>redirection URI (optional) - the authorization server will send the user-agent back to once access is granted (or denied) by the end-user (resource owner)</li>
* </ul>
*
Expand Down
3 changes: 2 additions & 1 deletion ...org/springframework/security/oauth2/client/web/DefaultAuthorizationRequestUriBuilder.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,8 @@ public URI build(AuthorizationRequestAttributes authorizationRequestAttributes)
.queryParam(OAuth2Parameter.CLIENT_ID, authorizationRequestAttributes.getClientId())
.queryParam(OAuth2Parameter.SCOPE,
authorizationRequestAttributes.getScope().stream().collect(Collectors.joining(" ")))
.queryParam(OAuth2Parameter.STATE, authorizationRequestAttributes.getState());
.queryParam(OAuth2Parameter.STATE, authorizationRequestAttributes.getState())
.queryParam(OAuth2Parameter.NONCE, authorizationRequestAttributes.getNonce());

return uriBuilder.build().encode().toUri();
}
Expand Down
16 changes: 12 additions & 4 deletions ...work/security/oauth2/client/web/AuthorizationCodeAuthenticationProcessingFilterTests.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -105,10 +105,12 @@ public void doFilterWhenAuthorizationCodeSuccessResponseThenAuthenticationSucces
MockHttpServletRequest request = this.setupRequest(clientRegistration);
String authCode = "some code";
String state = "some state";
String nonce = "some nonce";
request.addParameter(OAuth2Parameter.CODE, authCode);
request.addParameter(OAuth2Parameter.STATE, state);
request.addParameter(OAuth2Parameter.NONCE, nonce);
MockHttpServletResponse response = new MockHttpServletResponse();
setupAuthorizationRequest(authorizationRequestRepository, request, response, clientRegistration, state);
setupAuthorizationRequest(authorizationRequestRepository, request, response, clientRegistration, state, nonce);
FilterChain filterChain = Mockito.mock(FilterChain.class);

filter.doFilter(request, response, filterChain);
Expand Down Expand Up @@ -155,10 +157,12 @@ public void doFilterWhenAuthorizationCodeSuccessResponseWithInvalidStateParamThe
MockHttpServletRequest request = this.setupRequest(clientRegistration);
String authCode = "some code";
String state = "some other state";
String nonce = "some nonce";
request.addParameter(OAuth2Parameter.CODE, authCode);
request.addParameter(OAuth2Parameter.STATE, state);
request.addParameter(OAuth2Parameter.NONCE, nonce);
MockHttpServletResponse response = new MockHttpServletResponse();
setupAuthorizationRequest(authorizationRequestRepository, request, response, clientRegistration, "some state");
setupAuthorizationRequest(authorizationRequestRepository, request, response, clientRegistration, "some state", nonce);
FilterChain filterChain = Mockito.mock(FilterChain.class);

filter.doFilter(request, response, filterChain);
Expand All @@ -180,10 +184,12 @@ public void doFilterWhenAuthorizationCodeSuccessResponseWithInvalidRedirectUriPa
request.setRequestURI(request.getRequestURI() + "-other");
String authCode = "some code";
String state = "some state";
String nonce = "some nonce";
request.addParameter(OAuth2Parameter.CODE, authCode);
request.addParameter(OAuth2Parameter.STATE, state);
request.addParameter(OAuth2Parameter.NONCE, nonce);
MockHttpServletResponse response = new MockHttpServletResponse();
setupAuthorizationRequest(authorizationRequestRepository, request, response, clientRegistration, state);
setupAuthorizationRequest(authorizationRequestRepository, request, response, clientRegistration, state, nonce);
FilterChain filterChain = Mockito.mock(FilterChain.class);

filter.doFilter(request, response, filterChain);
Expand Down Expand Up @@ -230,7 +236,8 @@ private void setupAuthorizationRequest(AuthorizationRequestRepository authorizat
HttpServletRequest request,
HttpServletResponse response,
ClientRegistration clientRegistration,
String state) {
String state,
String nonce) {

Map<String,Object> additionalParameters = new HashMap<>();
additionalParameters.put(OAuth2Parameter.REGISTRATION_ID, clientRegistration.getRegistrationId());
Expand All @@ -242,6 +249,7 @@ private void setupAuthorizationRequest(AuthorizationRequestRepository authorizat
.redirectUri(clientRegistration.getRedirectUri())
.scope(clientRegistration.getScope())
.state(state)
.nonce(nonce)
.additionalParameters(additionalParameters)
.build();

Expand Down
2 changes: 2 additions & 0 deletions ...ringframework/security/oauth2/client/web/AuthorizationCodeRequestRedirectFilterTests.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,7 @@ public void doFilterWhenRequestMatchesClientThenAuthorizationRequestSavedInSessi
String requestUri = TestUtil.AUTHORIZATION_BASE_URI + "/" + clientRegistration.getRegistrationId();
MockHttpServletRequest request = new MockHttpServletRequest("GET", requestUri);
request.setServletPath(requestUri);
request.addParameter("nonce", "some nonce");
MockHttpServletResponse response = new MockHttpServletResponse();
FilterChain filterChain = Mockito.mock(FilterChain.class);

Expand All @@ -111,6 +112,7 @@ public void doFilterWhenRequestMatchesClientThenAuthorizationRequestSavedInSessi
Assertions.assertThat(authorizationRequestAttributes.getRedirectUri()).isNotNull();
Assertions.assertThat(authorizationRequestAttributes.getScope()).isNotNull();
Assertions.assertThat(authorizationRequestAttributes.getState()).isNotNull();
Assertions.assertThat(authorizationRequestAttributes.getNonce()).isNotNull();
}

private AuthorizationCodeRequestRedirectFilter setupFilter(String authorizationUri,
Expand Down
11 changes: 11 additions & 0 deletions ...ava/org/springframework/security/oauth2/core/endpoint/AuthorizationRequestAttributes.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@
* for the authorization code grant type or implicit grant type.
*
* @author Joe Grandja
* @author Shazin Sadakath
* @since 5.0
* @see AuthorizationGrantType
* @see ResponseType
Expand All @@ -45,6 +46,7 @@ public final class AuthorizationRequestAttributes implements Serializable {
private String redirectUri;
private Set<String> scope;
private String state;
private String nonce;
private Map<String,Object> additionalParameters;

private AuthorizationRequestAttributes() {
Expand Down Expand Up @@ -82,6 +84,10 @@ public Map<String, Object> getAdditionalParameters() {
return this.additionalParameters;
}

public String getNonce() {
return nonce;
}

public static Builder withAuthorizationCode() {
return new Builder(AuthorizationGrantType.AUTHORIZATION_CODE);
}
Expand Down Expand Up @@ -123,6 +129,11 @@ public Builder state(String state) {
return this;
}

public Builder nonce(String nonce) {
this.authorizationRequest.nonce = nonce;
return this;
}

public Builder additionalParameters(Map<String,Object> additionalParameters) {
this.authorizationRequest.additionalParameters = additionalParameters;
return this;
Expand Down
2 changes: 2 additions & 0 deletions ...core/src/main/java/org/springframework/security/oauth2/core/endpoint/OAuth2Parameter.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,4 +45,6 @@ public interface OAuth2Parameter {

String REGISTRATION_ID = "registration_id"; // Non-standard additional parameter

String NONCE = "nonce";

}