diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/reactive/function/client/ServerOAuth2AuthorizedClientExchangeFilterFunction.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/reactive/function/client/ServerOAuth2AuthorizedClientExchangeFilterFunction.java index 83a6f777f0c..6c13683a4b3 100644 --- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/reactive/function/client/ServerOAuth2AuthorizedClientExchangeFilterFunction.java +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/reactive/function/client/ServerOAuth2AuthorizedClientExchangeFilterFunction.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2018 the original author or authors. + * Copyright 2002-2019 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -45,6 +45,7 @@ import java.time.Duration; import java.time.Instant; import java.util.Map; +import java.util.Optional; import java.util.function.Consumer; import static org.springframework.security.oauth2.core.web.reactive.function.OAuth2BodyExtractors.oauth2AccessTokenResponse; @@ -289,7 +290,11 @@ private Mono authorizeWithRefreshToken(ExchangeFunction .build(); return next.exchange(refreshRequest) .flatMap(refreshResponse -> refreshResponse.body(oauth2AccessTokenResponse())) - .map(accessTokenResponse -> new OAuth2AuthorizedClient(authorizedClient.getClientRegistration(), authorizedClient.getPrincipalName(), accessTokenResponse.getAccessToken(), accessTokenResponse.getRefreshToken())) + .map(accessTokenResponse -> { + OAuth2RefreshToken refreshToken = Optional.ofNullable(accessTokenResponse.getRefreshToken()) + .orElse(authorizedClient.getRefreshToken()); + return new OAuth2AuthorizedClient(authorizedClient.getClientRegistration(), authorizedClient.getPrincipalName(), accessTokenResponse.getAccessToken(), refreshToken); + }) .flatMap(result -> this.authorizedClientRepository.saveAuthorizedClient(result, authentication, exchange) .thenReturn(result)); } diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/reactive/function/client/ServletOAuth2AuthorizedClientExchangeFilterFunction.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/reactive/function/client/ServletOAuth2AuthorizedClientExchangeFilterFunction.java index 94ca3decd99..4b02e208e6c 100644 --- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/reactive/function/client/ServletOAuth2AuthorizedClientExchangeFilterFunction.java +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/reactive/function/client/ServletOAuth2AuthorizedClientExchangeFilterFunction.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2018 the original author or authors. + * Copyright 2002-2019 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -391,7 +391,11 @@ private Mono authorizeWithRefreshToken(ClientRequest req .build(); return next.exchange(refreshRequest) .flatMap(response -> response.body(oauth2AccessTokenResponse())) - .map(accessTokenResponse -> new OAuth2AuthorizedClient(authorizedClient.getClientRegistration(), authorizedClient.getPrincipalName(), accessTokenResponse.getAccessToken(), accessTokenResponse.getRefreshToken())) + .map(accessTokenResponse -> { + OAuth2RefreshToken refreshToken = Optional.ofNullable(accessTokenResponse.getRefreshToken()) + .orElse(authorizedClient.getRefreshToken()); + return new OAuth2AuthorizedClient(authorizedClient.getClientRegistration(), authorizedClient.getPrincipalName(), accessTokenResponse.getAccessToken(), refreshToken); + }) .map(result -> { Authentication principal = (Authentication) request.attribute( AUTHENTICATION_ATTR_NAME).orElse(new PrincipalNameAuthentication(authorizedClient.getPrincipalName())); diff --git a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/reactive/function/client/ServerOAuth2AuthorizedClientExchangeFilterFunctionTests.java b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/reactive/function/client/ServerOAuth2AuthorizedClientExchangeFilterFunctionTests.java index eaa5613e549..d938229f458 100644 --- a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/reactive/function/client/ServerOAuth2AuthorizedClientExchangeFilterFunctionTests.java +++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/reactive/function/client/ServerOAuth2AuthorizedClientExchangeFilterFunctionTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2018 the original author or authors. + * Copyright 2002-2019 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -19,6 +19,8 @@ import org.junit.Before; import org.junit.Test; import org.junit.runner.RunWith; +import org.mockito.ArgumentCaptor; +import org.mockito.Captor; import org.mockito.Mock; import org.mockito.junit.MockitoJUnitRunner; import org.springframework.core.codec.ByteBufferEncoder; @@ -94,6 +96,9 @@ public class ServerOAuth2AuthorizedClientExchangeFilterFunctionTests { @Mock private ServerWebExchange serverWebExchange; + @Captor + private ArgumentCaptor authorizedClientCaptor; + private ServerOAuth2AuthorizedClientExchangeFilterFunction function; private MockExchangeFunction exchange = new MockExchangeFunction(); @@ -260,7 +265,62 @@ public void filterWhenRefreshRequiredThenRefresh() { .subscriberContext(ReactiveSecurityContextHolder.withAuthentication(authentication)) .block(); - verify(this.authorizedClientRepository).saveAuthorizedClient(any(), eq(authentication), any()); + verify(this.authorizedClientRepository).saveAuthorizedClient(this.authorizedClientCaptor.capture(), eq(authentication), any()); + + OAuth2AuthorizedClient newAuthorizedClient = authorizedClientCaptor.getValue(); + assertThat(newAuthorizedClient.getAccessToken()).isEqualTo(response.getAccessToken()); + assertThat(newAuthorizedClient.getRefreshToken()).isEqualTo(response.getRefreshToken()); + + List requests = this.exchange.getRequests(); + assertThat(requests).hasSize(2); + + ClientRequest request0 = requests.get(0); + assertThat(request0.headers().getFirst(HttpHeaders.AUTHORIZATION)).isEqualTo("Basic Y2xpZW50LWlkOmNsaWVudC1zZWNyZXQ="); + assertThat(request0.url().toASCIIString()).isEqualTo("https://example.com/login/oauth/access_token"); + assertThat(request0.method()).isEqualTo(HttpMethod.POST); + assertThat(getBody(request0)).isEqualTo("grant_type=refresh_token&refresh_token=refresh-token"); + + ClientRequest request1 = requests.get(1); + assertThat(request1.headers().getFirst(HttpHeaders.AUTHORIZATION)).isEqualTo("Bearer token-1"); + assertThat(request1.url().toASCIIString()).isEqualTo("https://example.com"); + assertThat(request1.method()).isEqualTo(HttpMethod.GET); + assertThat(getBody(request1)).isEmpty(); + } + + @Test + public void filterWhenRefreshRequiredThenRefreshAndResponseDoesNotContainRefreshToken() { + when(this.authorizedClientRepository.saveAuthorizedClient(any(), any(), any())).thenReturn(Mono.empty()); + OAuth2AccessTokenResponse response = OAuth2AccessTokenResponse.withToken("token-1") + .tokenType(OAuth2AccessToken.TokenType.BEARER) + .expiresIn(3600) +// .refreshToken(xxx) // No refreshToken in response + .build(); + when(this.exchange.getResponse().body(any())).thenReturn(Mono.just(response)); + Instant issuedAt = Instant.now().minus(Duration.ofDays(1)); + Instant accessTokenExpiresAt = issuedAt.plus(Duration.ofHours(1)); + + this.accessToken = new OAuth2AccessToken(this.accessToken.getTokenType(), + this.accessToken.getTokenValue(), + issuedAt, + accessTokenExpiresAt); + + OAuth2RefreshToken refreshToken = new OAuth2RefreshToken("refresh-token", issuedAt); + OAuth2AuthorizedClient authorizedClient = new OAuth2AuthorizedClient(this.registration, + "principalName", this.accessToken, refreshToken); + ClientRequest request = ClientRequest.create(GET, URI.create("https://example.com")) + .attributes(oauth2AuthorizedClient(authorizedClient)) + .build(); + + TestingAuthenticationToken authentication = new TestingAuthenticationToken("test", "this"); + this.function.filter(request, this.exchange) + .subscriberContext(ReactiveSecurityContextHolder.withAuthentication(authentication)) + .block(); + + verify(this.authorizedClientRepository).saveAuthorizedClient(this.authorizedClientCaptor.capture(), eq(authentication), any()); + + OAuth2AuthorizedClient newAuthorizedClient = authorizedClientCaptor.getValue(); + assertThat(newAuthorizedClient.getAccessToken()).isEqualTo(response.getAccessToken()); + assertThat(newAuthorizedClient.getRefreshToken()).isEqualTo(authorizedClient.getRefreshToken()); List requests = this.exchange.getRequests(); assertThat(requests).hasSize(2); diff --git a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/reactive/function/client/ServletOAuth2AuthorizedClientExchangeFilterFunctionTests.java b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/reactive/function/client/ServletOAuth2AuthorizedClientExchangeFilterFunctionTests.java index e6dfa7a1e99..2a3b3614210 100644 --- a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/reactive/function/client/ServletOAuth2AuthorizedClientExchangeFilterFunctionTests.java +++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/reactive/function/client/ServletOAuth2AuthorizedClientExchangeFilterFunctionTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2018 the original author or authors. + * Copyright 2002-2019 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -101,6 +101,8 @@ public class ServletOAuth2AuthorizedClientExchangeFilterFunctionTests { private WebClient.RequestHeadersSpec spec; @Captor private ArgumentCaptor>> attrs; + @Captor + private ArgumentCaptor authorizedClientCaptor; /** * Used for get the attributes from defaultRequest. @@ -406,7 +408,61 @@ public void filterWhenRefreshRequiredThenRefresh() { this.function.filter(request, this.exchange).block(); - verify(this.authorizedClientRepository).saveAuthorizedClient(any(), eq(this.authentication), any(), any()); + verify(this.authorizedClientRepository).saveAuthorizedClient(this.authorizedClientCaptor.capture(), eq(this.authentication), any(), any()); + + OAuth2AuthorizedClient newAuthorizedClient = authorizedClientCaptor.getValue(); + assertThat(newAuthorizedClient.getAccessToken()).isEqualTo(response.getAccessToken()); + assertThat(newAuthorizedClient.getRefreshToken()).isEqualTo(response.getRefreshToken()); + + List requests = this.exchange.getRequests(); + assertThat(requests).hasSize(2); + + ClientRequest request0 = requests.get(0); + assertThat(request0.headers().getFirst(HttpHeaders.AUTHORIZATION)).isEqualTo("Basic Y2xpZW50LWlkOmNsaWVudC1zZWNyZXQ="); + assertThat(request0.url().toASCIIString()).isEqualTo("https://example.com/login/oauth/access_token"); + assertThat(request0.method()).isEqualTo(HttpMethod.POST); + assertThat(getBody(request0)).isEqualTo("grant_type=refresh_token&refresh_token=refresh-token"); + + ClientRequest request1 = requests.get(1); + assertThat(request1.headers().getFirst(HttpHeaders.AUTHORIZATION)).isEqualTo("Bearer token-1"); + assertThat(request1.url().toASCIIString()).isEqualTo("https://example.com"); + assertThat(request1.method()).isEqualTo(HttpMethod.GET); + assertThat(getBody(request1)).isEmpty(); + } + + @Test + public void filterWhenRefreshRequiredThenRefreshAndResponseDoesNotContainRefreshToken() { + OAuth2AccessTokenResponse response = OAuth2AccessTokenResponse.withToken("token-1") + .tokenType(OAuth2AccessToken.TokenType.BEARER) + .expiresIn(3600) +// .refreshToken(xxx) // No refreshToken in response + .build(); + when(this.exchange.getResponse().body(any())).thenReturn(Mono.just(response)); + Instant issuedAt = Instant.now().minus(Duration.ofDays(1)); + Instant accessTokenExpiresAt = issuedAt.plus(Duration.ofHours(1)); + + this.accessToken = new OAuth2AccessToken(this.accessToken.getTokenType(), + this.accessToken.getTokenValue(), + issuedAt, + accessTokenExpiresAt); + this.function = new ServletOAuth2AuthorizedClientExchangeFilterFunction(this.clientRegistrationRepository, + this.authorizedClientRepository); + + OAuth2RefreshToken refreshToken = new OAuth2RefreshToken("refresh-token", issuedAt); + OAuth2AuthorizedClient authorizedClient = new OAuth2AuthorizedClient(this.registration, + "principalName", this.accessToken, refreshToken); + ClientRequest request = ClientRequest.create(GET, URI.create("https://example.com")) + .attributes(oauth2AuthorizedClient(authorizedClient)) + .attributes(authentication(this.authentication)) + .build(); + + this.function.filter(request, this.exchange).block(); + + verify(this.authorizedClientRepository).saveAuthorizedClient(this.authorizedClientCaptor.capture(), eq(this.authentication), any(), any()); + + OAuth2AuthorizedClient newAuthorizedClient = authorizedClientCaptor.getValue(); + assertThat(newAuthorizedClient.getAccessToken()).isEqualTo(response.getAccessToken()); + assertThat(newAuthorizedClient.getRefreshToken()).isEqualTo(refreshToken); List requests = this.exchange.getRequests(); assertThat(requests).hasSize(2);