Skip to content

Extract OidcTokenValidator to an OAuth2TokenValidator #6298

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 4 commits into from
Closed

Extract OidcTokenValidator to an OAuth2TokenValidator #6298

wants to merge 4 commits into from

Conversation

jgrandja
Copy link
Contributor

Fixes #5930

Note: This is rebased off #5751

@jgrandja jgrandja requested a review from rwinch December 17, 2018 22:29
rwinch
rwinch requested changes Dec 18, 2018
View reviewed changes
...ork/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurerTests.java
return clientRegistration -> getJwtDecoder();
}

private static JwtDecoder getJwtDecoder() {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does it make sense to return a mock so that testing is easier?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I could return a mock(JwtDecoder.class) but mocking the return value of decode() will produce the same amount of code so doesn't really make it easier. However, it might make more sense to do it this way so will apply the change.

...ava/org/springframework/security/oauth2/client/oidc/authentication/OidcIdTokenValidator.java
}

private static void throwInvalidIdTokenException() {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why are we making this change in this set of commits? Also this appears to break passivity. Is there a reason for this?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure I understand? The contract for OAuth2TokenValidator is OAuth2TokenValidatorResult validate(Jwt idToken) so it should return a OAuth2TokenValidatorResult containing the Collection<OAuth2Error>.

The original implementation would throw an OAuth2AuthenticationException on validation failure but now it returns a OAuth2TokenValidatorResult and the JwtDecoder will throw a JwtException. However, both OidcAuthorizationCodeAuthenticationProvider and OidcAuthorizationCodeReactiveAuthenticationManager will catch the JwtException and throw OAuth2AuthenticationException to preserve passitivity. Am I missing something?

Copy link
Member

@rwinch rwinch Dec 19, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry I didn't notice that OidcTokenValidator was package scope. My concern was that users might be using the API directly which would break them. This is not a concern since it is package scope, so please ignore.

rwinch
rwinch requested changes Dec 19, 2018
View reviewed changes
...rg/springframework/security/oauth2/client/oidc/authentication/OidcIdTokenValidatorTests.java Outdated
@Test
public void validateIdTokenWhenIssuerNullThenHasErrors() {
this.claims.remove(IdTokenClaimNames.ISS);
assertThat(this.validateIdToken()).isNotEmpty();
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Previously the assertions were verifying the correct error was present. Please update these tests to assert that the correct error is in the results too.

NOTE: This comment applies to any assertThat(this.validateIdToken()).isNotEmpty();

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I updated to assert on OAuth2Error as per request.

@rwinch
Copy link
Member

rwinch commented Dec 20, 2018
edited
Loading

Thanks @jgrandja! The code looks good to me now. Can you update labels, milestones, rebase, squash and merge these changes?

@jgrandja
Copy link
Contributor Author

@rwinch Sure I can merge this. But can you review/approve #5751 first as this PR is rebased off that one. I pushed the latest feedback request so that one may be good to go on your end.

@rwinch
Copy link
Member

rwinch commented Dec 21, 2018

@jgrandja The changes look good. Can you please go ahead and rebase, squash and merge these changes?

@jgrandja jgrandja added type: enhancement A general enhancement in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) OIDC labels Dec 21, 2018
@jgrandja jgrandja added this to the 5.2.0.M1 milestone Dec 21, 2018
@jgrandja
Copy link
Contributor Author

Merged via 9c0d78d

@jgrandja jgrandja closed this Dec 21, 2018
@jgrandja jgrandja deleted the gh-5930-idtoken-validator branch December 21, 2018 16:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rwinch rwinch rwinch approved these changes

Assignees

@jgrandja jgrandja

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement
Projects
None yet
Milestone
5.2.0.M1
Development

Successfully merging this pull request may close these issues.
2 participants
@jgrandja @rwinch