Steve Riesenberg
2 years ago
16 changed files with 1129 additions and 12 deletions
@ -0,0 +1,53 @@ |
|||||||
|
/* |
||||||
|
* Copyright 2020-2024 the original author or authors. |
||||||
|
* |
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License"); |
||||||
|
* you may not use this file except in compliance with the License. |
||||||
|
* You may obtain a copy of the License at |
||||||
|
* |
||||||
|
* https://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
* |
||||||
|
* Unless required by applicable law or agreed to in writing, software |
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS, |
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||||
|
* See the License for the specific language governing permissions and |
||||||
|
* limitations under the License. |
||||||
|
*/ |
||||||
|
|
||||||
|
package org.springframework.security.oauth2.server.authorization.authentication; |
||||||
|
|
||||||
|
import java.io.Serializable; |
||||||
|
import java.util.Collections; |
||||||
|
|
||||||
|
import org.springframework.security.authentication.AbstractAuthenticationToken; |
||||||
|
import org.springframework.security.core.Authentication; |
||||||
|
import org.springframework.util.Assert; |
||||||
|
|
||||||
|
/** |
||||||
|
* An {@link Authentication} implementation used for the OAuth 2.0 Token Exchange Grant |
||||||
|
* to represent an actor in a composite token (e.g. the "delegation" use case). |
||||||
|
* |
||||||
|
* @author Steve Riesenberg |
||||||
|
* @since 1.3 |
||||||
|
* @see OAuth2CompositeAuthenticationToken |
||||||
|
*/ |
||||||
|
public class OAuth2ActorAuthenticationToken extends AbstractAuthenticationToken implements Serializable { |
||||||
|
|
||||||
|
private final String name; |
||||||
|
|
||||||
|
public OAuth2ActorAuthenticationToken(String name) { |
||||||
|
super(Collections.emptyList()); |
||||||
|
Assert.hasText(name, "name cannot be empty"); |
||||||
|
this.name = name; |
||||||
|
} |
||||||
|
|
||||||
|
@Override |
||||||
|
public Object getPrincipal() { |
||||||
|
return this.name; |
||||||
|
} |
||||||
|
|
||||||
|
@Override |
||||||
|
public Object getCredentials() { |
||||||
|
return null; |
||||||
|
} |
||||||
|
} |
||||||
@ -0,0 +1,69 @@ |
|||||||
|
/* |
||||||
|
* Copyright 2020-2024 the original author or authors. |
||||||
|
* |
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License"); |
||||||
|
* you may not use this file except in compliance with the License. |
||||||
|
* You may obtain a copy of the License at |
||||||
|
* |
||||||
|
* https://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
* |
||||||
|
* Unless required by applicable law or agreed to in writing, software |
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS, |
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||||
|
* See the License for the specific language governing permissions and |
||||||
|
* limitations under the License. |
||||||
|
*/ |
||||||
|
|
||||||
|
package org.springframework.security.oauth2.server.authorization.authentication; |
||||||
|
|
||||||
|
import java.io.Serializable; |
||||||
|
import java.util.ArrayList; |
||||||
|
import java.util.Collections; |
||||||
|
import java.util.List; |
||||||
|
|
||||||
|
import org.springframework.security.authentication.AbstractAuthenticationToken; |
||||||
|
import org.springframework.security.core.Authentication; |
||||||
|
import org.springframework.util.Assert; |
||||||
|
|
||||||
|
/** |
||||||
|
* An {@link Authentication} implementation used for the OAuth 2.0 Token Exchange Grant |
||||||
|
* to represent the principal in a composite token (e.g. the "delegation" use case). |
||||||
|
* |
||||||
|
* @author Steve Riesenberg |
||||||
|
* @since 1.3 |
||||||
|
* @see OAuth2TokenExchangeAuthenticationToken |
||||||
|
*/ |
||||||
|
public class OAuth2CompositeAuthenticationToken extends AbstractAuthenticationToken implements Serializable { |
||||||
|
|
||||||
|
private final Authentication subject; |
||||||
|
|
||||||
|
private final List<Authentication> actors; |
||||||
|
|
||||||
|
public OAuth2CompositeAuthenticationToken(Authentication subject, List<Authentication> actors) { |
||||||
|
super(subject != null ? subject.getAuthorities() : null); |
||||||
|
Assert.notNull(subject, "subject cannot be null"); |
||||||
|
Assert.notNull(actors, "actors cannot be null"); |
||||||
|
this.subject = subject; |
||||||
|
this.actors = Collections.unmodifiableList(new ArrayList<>(actors)); |
||||||
|
setDetails(subject.getDetails()); |
||||||
|
setAuthenticated(subject.isAuthenticated()); |
||||||
|
} |
||||||
|
|
||||||
|
@Override |
||||||
|
public Object getPrincipal() { |
||||||
|
return this.subject.getPrincipal(); |
||||||
|
} |
||||||
|
|
||||||
|
@Override |
||||||
|
public Object getCredentials() { |
||||||
|
return null; |
||||||
|
} |
||||||
|
|
||||||
|
public Authentication getSubject() { |
||||||
|
return this.subject; |
||||||
|
} |
||||||
|
|
||||||
|
public List<Authentication> getActors() { |
||||||
|
return this.actors; |
||||||
|
} |
||||||
|
} |
||||||
@ -0,0 +1,314 @@ |
|||||||
|
/* |
||||||
|
* Copyright 2020-2024 the original author or authors. |
||||||
|
* |
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License"); |
||||||
|
* you may not use this file except in compliance with the License. |
||||||
|
* You may obtain a copy of the License at |
||||||
|
* |
||||||
|
* https://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
* |
||||||
|
* Unless required by applicable law or agreed to in writing, software |
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS, |
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||||
|
* See the License for the specific language governing permissions and |
||||||
|
* limitations under the License. |
||||||
|
*/ |
||||||
|
package org.springframework.security.oauth2.server.authorization.authentication; |
||||||
|
|
||||||
|
import java.security.Principal; |
||||||
|
import java.util.Collections; |
||||||
|
import java.util.HashMap; |
||||||
|
import java.util.LinkedHashSet; |
||||||
|
import java.util.LinkedList; |
||||||
|
import java.util.List; |
||||||
|
import java.util.Map; |
||||||
|
import java.util.Set; |
||||||
|
|
||||||
|
import org.apache.commons.logging.Log; |
||||||
|
import org.apache.commons.logging.LogFactory; |
||||||
|
|
||||||
|
import org.springframework.security.authentication.AuthenticationProvider; |
||||||
|
import org.springframework.security.core.Authentication; |
||||||
|
import org.springframework.security.core.AuthenticationException; |
||||||
|
import org.springframework.security.oauth2.core.AuthorizationGrantType; |
||||||
|
import org.springframework.security.oauth2.core.ClaimAccessor; |
||||||
|
import org.springframework.security.oauth2.core.OAuth2AccessToken; |
||||||
|
import org.springframework.security.oauth2.core.OAuth2AuthenticationException; |
||||||
|
import org.springframework.security.oauth2.core.OAuth2Error; |
||||||
|
import org.springframework.security.oauth2.core.OAuth2ErrorCodes; |
||||||
|
import org.springframework.security.oauth2.core.OAuth2Token; |
||||||
|
import org.springframework.security.oauth2.core.oidc.StandardClaimNames; |
||||||
|
import org.springframework.security.oauth2.jwt.Jwt; |
||||||
|
import org.springframework.security.oauth2.server.authorization.OAuth2Authorization; |
||||||
|
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService; |
||||||
|
import org.springframework.security.oauth2.server.authorization.OAuth2TokenType; |
||||||
|
import org.springframework.security.oauth2.server.authorization.client.RegisteredClient; |
||||||
|
import org.springframework.security.oauth2.server.authorization.context.AuthorizationServerContextHolder; |
||||||
|
import org.springframework.security.oauth2.server.authorization.settings.OAuth2TokenFormat; |
||||||
|
import org.springframework.security.oauth2.server.authorization.token.DefaultOAuth2TokenContext; |
||||||
|
import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenContext; |
||||||
|
import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenGenerator; |
||||||
|
import org.springframework.util.Assert; |
||||||
|
import org.springframework.util.CollectionUtils; |
||||||
|
import org.springframework.util.StringUtils; |
||||||
|
|
||||||
|
import static org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthenticationProviderUtils.getAuthenticatedClientElseThrowInvalidClient; |
||||||
|
|
||||||
|
/** |
||||||
|
* An {@link AuthenticationProvider} implementation for the OAuth 2.0 Token Exchange Grant. |
||||||
|
* |
||||||
|
* @author Steve Riesenberg |
||||||
|
* @since 1.3 |
||||||
|
* @see OAuth2TokenExchangeAuthenticationToken |
||||||
|
* @see OAuth2AccessTokenAuthenticationToken |
||||||
|
* @see OAuth2AuthorizationService |
||||||
|
* @see OAuth2TokenGenerator |
||||||
|
* @see <a target="_blank" href="https://datatracker.ietf.org/doc/html/rfc8693#section-1">Section 1 Introduction</a> |
||||||
|
* @see <a target="_blank" href="https://datatracker.ietf.org/doc/html/rfc8693#section-2.1">Section 2.1 Request</a> |
||||||
|
*/ |
||||||
|
public final class OAuth2TokenExchangeAuthenticationProvider implements AuthenticationProvider { |
||||||
|
|
||||||
|
private static final String ERROR_URI = "https://datatracker.ietf.org/doc/html/rfc6749#section-5.2"; |
||||||
|
|
||||||
|
private static final AuthorizationGrantType TOKEN_EXCHANGE = new AuthorizationGrantType( |
||||||
|
"urn:ietf:params:oauth:grant-type:token-exchange"); |
||||||
|
|
||||||
|
private static final String JWT_TOKEN_TYPE_VALUE = "urn:ietf:params:oauth:token-type:jwt"; |
||||||
|
|
||||||
|
private static final String MAY_ACT = "may_act"; |
||||||
|
|
||||||
|
private static final String ISSUED_TOKEN_TYPE = "issued_token_type"; |
||||||
|
|
||||||
|
private final Log logger = LogFactory.getLog(getClass()); |
||||||
|
|
||||||
|
private final OAuth2AuthorizationService authorizationService; |
||||||
|
|
||||||
|
private final OAuth2TokenGenerator<? extends OAuth2Token> tokenGenerator; |
||||||
|
|
||||||
|
/** |
||||||
|
* Constructs an {@code OAuth2TokenExchangeAuthenticationProvider} using the provided parameters. |
||||||
|
* |
||||||
|
* @param authorizationService the authorization service |
||||||
|
* @param tokenGenerator the token generator |
||||||
|
*/ |
||||||
|
public OAuth2TokenExchangeAuthenticationProvider(OAuth2AuthorizationService authorizationService, |
||||||
|
OAuth2TokenGenerator<? extends OAuth2Token> tokenGenerator) { |
||||||
|
Assert.notNull(authorizationService, "authorizationService cannot be null"); |
||||||
|
Assert.notNull(tokenGenerator, "tokenGenerator cannot be null"); |
||||||
|
this.authorizationService = authorizationService; |
||||||
|
this.tokenGenerator = tokenGenerator; |
||||||
|
} |
||||||
|
|
||||||
|
@Override |
||||||
|
public Authentication authenticate(Authentication authentication) throws AuthenticationException { |
||||||
|
OAuth2TokenExchangeAuthenticationToken tokenExchangeAuthentication = |
||||||
|
(OAuth2TokenExchangeAuthenticationToken) authentication; |
||||||
|
|
||||||
|
OAuth2ClientAuthenticationToken clientPrincipal = |
||||||
|
getAuthenticatedClientElseThrowInvalidClient(tokenExchangeAuthentication); |
||||||
|
RegisteredClient registeredClient = clientPrincipal.getRegisteredClient(); |
||||||
|
|
||||||
|
if (this.logger.isTraceEnabled()) { |
||||||
|
this.logger.trace("Retrieved registered client"); |
||||||
|
} |
||||||
|
|
||||||
|
if (!registeredClient.getAuthorizationGrantTypes().contains(TOKEN_EXCHANGE)) { |
||||||
|
throw new OAuth2AuthenticationException(OAuth2ErrorCodes.UNAUTHORIZED_CLIENT); |
||||||
|
} |
||||||
|
|
||||||
|
if (JWT_TOKEN_TYPE_VALUE.equals(tokenExchangeAuthentication.getRequestedTokenType()) && |
||||||
|
!OAuth2TokenFormat.SELF_CONTAINED.equals(registeredClient.getTokenSettings().getAccessTokenFormat())) { |
||||||
|
throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_REQUEST); |
||||||
|
} |
||||||
|
|
||||||
|
OAuth2Authorization subjectAuthorization = this.authorizationService.findByToken( |
||||||
|
tokenExchangeAuthentication.getSubjectToken(), OAuth2TokenType.ACCESS_TOKEN); |
||||||
|
if (subjectAuthorization == null) { |
||||||
|
throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_GRANT); |
||||||
|
} |
||||||
|
|
||||||
|
if (this.logger.isTraceEnabled()) { |
||||||
|
this.logger.trace("Retrieved authorization with subject token"); |
||||||
|
} |
||||||
|
|
||||||
|
OAuth2Authorization.Token<OAuth2Token> subjectToken = subjectAuthorization.getToken( |
||||||
|
tokenExchangeAuthentication.getSubjectToken()); |
||||||
|
if (!subjectToken.isActive()) { |
||||||
|
// As per https://tools.ietf.org/html/rfc6749#section-5.2
|
||||||
|
// invalid_grant: The provided authorization grant (e.g., authorization code,
|
||||||
|
// resource owner credentials) or refresh token is invalid, expired, revoked [...].
|
||||||
|
throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_GRANT); |
||||||
|
} |
||||||
|
|
||||||
|
if (JWT_TOKEN_TYPE_VALUE.equals(tokenExchangeAuthentication.getSubjectTokenType()) && |
||||||
|
!Jwt.class.isAssignableFrom(subjectToken.getToken().getClass())) { |
||||||
|
throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_REQUEST); |
||||||
|
} |
||||||
|
|
||||||
|
if (subjectAuthorization.getAttribute(Principal.class.getName()) == null) { |
||||||
|
// As per https://datatracker.ietf.org/doc/html/rfc8693#section-1.1,
|
||||||
|
// we require a principal to be available via the subject_token for
|
||||||
|
// impersonation or delegation use cases.
|
||||||
|
throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_GRANT); |
||||||
|
} |
||||||
|
|
||||||
|
// As per https://datatracker.ietf.org/doc/html/rfc8693#section-4.4,
|
||||||
|
// The may_act claim makes a statement that one party is authorized to
|
||||||
|
// become the actor and act on behalf of another party.
|
||||||
|
String authorizedActorSubject = null; |
||||||
|
if (subjectToken.getClaims() != null && |
||||||
|
subjectToken.getClaims().containsKey(MAY_ACT) && |
||||||
|
subjectToken.getClaims().get(MAY_ACT) instanceof Map<?, ?> mayAct) { |
||||||
|
authorizedActorSubject = (String) mayAct.get(StandardClaimNames.SUB); |
||||||
|
} |
||||||
|
|
||||||
|
OAuth2Authorization actorAuthorization = null; |
||||||
|
if (StringUtils.hasText(tokenExchangeAuthentication.getActorToken())) { |
||||||
|
actorAuthorization = this.authorizationService.findByToken( |
||||||
|
tokenExchangeAuthentication.getActorToken(), OAuth2TokenType.ACCESS_TOKEN); |
||||||
|
if (actorAuthorization == null) { |
||||||
|
throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_GRANT); |
||||||
|
} |
||||||
|
|
||||||
|
if (this.logger.isTraceEnabled()) { |
||||||
|
this.logger.trace("Retrieved authorization with actor token"); |
||||||
|
} |
||||||
|
|
||||||
|
OAuth2Authorization.Token<OAuth2Token> actorToken = actorAuthorization.getToken( |
||||||
|
tokenExchangeAuthentication.getActorToken()); |
||||||
|
if (!actorToken.isActive()) { |
||||||
|
// As per https://tools.ietf.org/html/rfc6749#section-5.2
|
||||||
|
// invalid_grant: The provided authorization grant (e.g., authorization code,
|
||||||
|
// resource owner credentials) or refresh token is invalid, expired, revoked [...].
|
||||||
|
throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_GRANT); |
||||||
|
} |
||||||
|
|
||||||
|
if (JWT_TOKEN_TYPE_VALUE.equals(tokenExchangeAuthentication.getActorTokenType()) && |
||||||
|
!Jwt.class.isAssignableFrom(actorToken.getToken().getClass())) { |
||||||
|
throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_REQUEST); |
||||||
|
} |
||||||
|
|
||||||
|
if (StringUtils.hasText(authorizedActorSubject) && |
||||||
|
!authorizedActorSubject.equals(actorAuthorization.getPrincipalName())) { |
||||||
|
throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_GRANT); |
||||||
|
} |
||||||
|
} else if (StringUtils.hasText(authorizedActorSubject) && |
||||||
|
!authorizedActorSubject.equals(clientPrincipal.getName())) { |
||||||
|
throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_GRANT); |
||||||
|
} |
||||||
|
|
||||||
|
Set<String> authorizedScopes = Collections.emptySet(); |
||||||
|
if (!CollectionUtils.isEmpty(tokenExchangeAuthentication.getScopes())) { |
||||||
|
authorizedScopes = validateRequestedScopes(registeredClient, tokenExchangeAuthentication.getScopes()); |
||||||
|
} else if (!CollectionUtils.isEmpty(subjectAuthorization.getAuthorizedScopes())) { |
||||||
|
authorizedScopes = validateRequestedScopes(registeredClient, subjectAuthorization.getAuthorizedScopes()); |
||||||
|
} |
||||||
|
|
||||||
|
if (this.logger.isTraceEnabled()) { |
||||||
|
this.logger.trace("Validated token request parameters"); |
||||||
|
} |
||||||
|
|
||||||
|
Authentication principal = getPrincipal(subjectAuthorization, actorAuthorization); |
||||||
|
|
||||||
|
// @formatter:off
|
||||||
|
DefaultOAuth2TokenContext.Builder tokenContextBuilder = DefaultOAuth2TokenContext.builder() |
||||||
|
.registeredClient(registeredClient) |
||||||
|
.authorization(subjectAuthorization) |
||||||
|
.principal(principal) |
||||||
|
.authorizationServerContext(AuthorizationServerContextHolder.getContext()) |
||||||
|
.authorizedScopes(authorizedScopes) |
||||||
|
.tokenType(OAuth2TokenType.ACCESS_TOKEN) |
||||||
|
.authorizationGrantType(TOKEN_EXCHANGE) |
||||||
|
.authorizationGrant(tokenExchangeAuthentication); |
||||||
|
// @formatter:on
|
||||||
|
|
||||||
|
// ----- Access token -----
|
||||||
|
OAuth2TokenContext tokenContext = tokenContextBuilder.build(); |
||||||
|
OAuth2Token generatedAccessToken = this.tokenGenerator.generate(tokenContext); |
||||||
|
if (generatedAccessToken == null) { |
||||||
|
OAuth2Error error = new OAuth2Error(OAuth2ErrorCodes.SERVER_ERROR, |
||||||
|
"The token generator failed to generate the access token.", ERROR_URI); |
||||||
|
throw new OAuth2AuthenticationException(error); |
||||||
|
} |
||||||
|
|
||||||
|
if (this.logger.isTraceEnabled()) { |
||||||
|
this.logger.trace("Generated access token"); |
||||||
|
} |
||||||
|
|
||||||
|
OAuth2AccessToken accessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER, |
||||||
|
generatedAccessToken.getTokenValue(), generatedAccessToken.getIssuedAt(), |
||||||
|
generatedAccessToken.getExpiresAt(), tokenContext.getAuthorizedScopes()); |
||||||
|
|
||||||
|
// @formatter:off
|
||||||
|
OAuth2Authorization.Builder authorizationBuilder = OAuth2Authorization.withRegisteredClient(registeredClient) |
||||||
|
.principalName(subjectAuthorization.getPrincipalName()) |
||||||
|
.authorizationGrantType(TOKEN_EXCHANGE) |
||||||
|
.authorizedScopes(authorizedScopes) |
||||||
|
.attribute(Principal.class.getName(), principal); |
||||||
|
// @formatter:on
|
||||||
|
|
||||||
|
if (generatedAccessToken instanceof ClaimAccessor) { |
||||||
|
authorizationBuilder.token(accessToken, (metadata) -> { |
||||||
|
metadata.put(OAuth2Authorization.Token.CLAIMS_METADATA_NAME, ((ClaimAccessor) generatedAccessToken).getClaims()); |
||||||
|
metadata.put(OAuth2Authorization.Token.INVALIDATED_METADATA_NAME, false); |
||||||
|
}); |
||||||
|
} else { |
||||||
|
authorizationBuilder.accessToken(accessToken); |
||||||
|
} |
||||||
|
|
||||||
|
OAuth2Authorization authorization = authorizationBuilder.build(); |
||||||
|
this.authorizationService.save(authorization); |
||||||
|
|
||||||
|
if (this.logger.isTraceEnabled()) { |
||||||
|
this.logger.trace("Saved authorization"); |
||||||
|
} |
||||||
|
|
||||||
|
Map<String, Object> additionalParameters = new HashMap<>(); |
||||||
|
additionalParameters.put(ISSUED_TOKEN_TYPE, tokenExchangeAuthentication.getRequestedTokenType()); |
||||||
|
|
||||||
|
if (this.logger.isTraceEnabled()) { |
||||||
|
this.logger.trace("Authenticated token request"); |
||||||
|
} |
||||||
|
|
||||||
|
return new OAuth2AccessTokenAuthenticationToken( |
||||||
|
registeredClient, clientPrincipal, accessToken, null, additionalParameters); |
||||||
|
} |
||||||
|
|
||||||
|
private static Set<String> validateRequestedScopes(RegisteredClient registeredClient, Set<String> requestedScopes) { |
||||||
|
for (String requestedScope : requestedScopes) { |
||||||
|
if (!registeredClient.getScopes().contains(requestedScope)) { |
||||||
|
throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_SCOPE); |
||||||
|
} |
||||||
|
} |
||||||
|
|
||||||
|
return new LinkedHashSet<>(requestedScopes); |
||||||
|
} |
||||||
|
|
||||||
|
private static Authentication getPrincipal(OAuth2Authorization subjectAuthorization, OAuth2Authorization actorAuthorization) { |
||||||
|
Authentication subjectPrincipal = subjectAuthorization.getAttribute(Principal.class.getName()); |
||||||
|
|
||||||
|
List<Authentication> actorPrincipals = new LinkedList<>(); |
||||||
|
if (actorAuthorization != null) { |
||||||
|
actorPrincipals.add(new OAuth2ActorAuthenticationToken(actorAuthorization.getPrincipalName())); |
||||||
|
} |
||||||
|
|
||||||
|
if (subjectPrincipal instanceof OAuth2CompositeAuthenticationToken compositeAuthenticationToken) { |
||||||
|
// As per https://datatracker.ietf.org/doc/html/rfc8693#section-4.1,
|
||||||
|
// the act claim can be used to represent a chain of delegation,
|
||||||
|
// so we unwrap the original subject and any previous actor(s).
|
||||||
|
subjectPrincipal = compositeAuthenticationToken.getSubject(); |
||||||
|
actorPrincipals.addAll(compositeAuthenticationToken.getActors()); |
||||||
|
// TODO: Should we allow delegation-to-impersonation where previous
|
||||||
|
// actors exist but no actor_token exists on this request?
|
||||||
|
} |
||||||
|
|
||||||
|
return CollectionUtils.isEmpty(actorPrincipals) ? subjectPrincipal : |
||||||
|
new OAuth2CompositeAuthenticationToken(subjectPrincipal, actorPrincipals); |
||||||
|
} |
||||||
|
|
||||||
|
@Override |
||||||
|
public boolean supports(Class<?> authentication) { |
||||||
|
return OAuth2TokenExchangeAuthenticationToken.class.isAssignableFrom(authentication); |
||||||
|
} |
||||||
|
|
||||||
|
} |
||||||
@ -0,0 +1,164 @@ |
|||||||
|
/* |
||||||
|
* Copyright 2020-2024 the original author or authors. |
||||||
|
* |
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License"); |
||||||
|
* you may not use this file except in compliance with the License. |
||||||
|
* You may obtain a copy of the License at |
||||||
|
* |
||||||
|
* https://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
* |
||||||
|
* Unless required by applicable law or agreed to in writing, software |
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS, |
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||||
|
* See the License for the specific language governing permissions and |
||||||
|
* limitations under the License. |
||||||
|
*/ |
||||||
|
package org.springframework.security.oauth2.server.authorization.authentication; |
||||||
|
|
||||||
|
import java.util.Collections; |
||||||
|
import java.util.HashSet; |
||||||
|
import java.util.List; |
||||||
|
import java.util.Map; |
||||||
|
import java.util.Set; |
||||||
|
|
||||||
|
import org.springframework.lang.Nullable; |
||||||
|
import org.springframework.security.core.Authentication; |
||||||
|
import org.springframework.security.oauth2.core.AuthorizationGrantType; |
||||||
|
import org.springframework.util.Assert; |
||||||
|
|
||||||
|
/** |
||||||
|
* An {@link Authentication} implementation used for the OAuth 2.0 Token Exchange Grant. |
||||||
|
* |
||||||
|
* @author Steve Riesenberg |
||||||
|
* @since 1.3 |
||||||
|
* @see OAuth2AuthorizationGrantAuthenticationToken |
||||||
|
* @see OAuth2TokenExchangeAuthenticationProvider |
||||||
|
*/ |
||||||
|
public class OAuth2TokenExchangeAuthenticationToken extends OAuth2AuthorizationGrantAuthenticationToken { |
||||||
|
|
||||||
|
private static final AuthorizationGrantType TOKEN_EXCHANGE = new AuthorizationGrantType( |
||||||
|
"urn:ietf:params:oauth:grant-type:token-exchange"); |
||||||
|
|
||||||
|
private final List<String> resources; |
||||||
|
|
||||||
|
private final List<String> audiences; |
||||||
|
|
||||||
|
private final String requestedTokenType; |
||||||
|
|
||||||
|
private final String subjectToken; |
||||||
|
|
||||||
|
private final String subjectTokenType; |
||||||
|
|
||||||
|
private final String actorToken; |
||||||
|
|
||||||
|
private final String actorTokenType; |
||||||
|
|
||||||
|
private final Set<String> scopes; |
||||||
|
|
||||||
|
/** |
||||||
|
* Constructs an {@code OAuth2TokenExchangeAuthenticationToken} using the provided parameters. |
||||||
|
* |
||||||
|
* @param resources a list of resource URIs |
||||||
|
* @param audiences a list audience values |
||||||
|
* @param scopes the requested scope(s) |
||||||
|
* @param requestedTokenType the requested token type |
||||||
|
* @param subjectToken the subject token |
||||||
|
* @param subjectTokenType the subject token type |
||||||
|
* @param actorToken the actor token |
||||||
|
* @param actorTokenType the actor token type |
||||||
|
* @param clientPrincipal the authenticated client principal |
||||||
|
* @param additionalParameters the additional parameters |
||||||
|
*/ |
||||||
|
public OAuth2TokenExchangeAuthenticationToken(List<String> resources, List<String> audiences, |
||||||
|
@Nullable Set<String> scopes, @Nullable String requestedTokenType, String subjectToken, |
||||||
|
String subjectTokenType, @Nullable String actorToken, @Nullable String actorTokenType, |
||||||
|
Authentication clientPrincipal, @Nullable Map<String, Object> additionalParameters) { |
||||||
|
super(TOKEN_EXCHANGE, clientPrincipal, additionalParameters); |
||||||
|
Assert.notNull(resources, "resources cannot be null"); |
||||||
|
Assert.notNull(audiences, "audiences cannot be null"); |
||||||
|
Assert.hasText(requestedTokenType, "requestedTokenType cannot be empty"); |
||||||
|
Assert.hasText(subjectToken, "subjectToken cannot be empty"); |
||||||
|
Assert.hasText(subjectTokenType, "subjectTokenType cannot be empty"); |
||||||
|
this.resources = resources; |
||||||
|
this.audiences = audiences; |
||||||
|
this.requestedTokenType = requestedTokenType; |
||||||
|
this.subjectToken = subjectToken; |
||||||
|
this.subjectTokenType = subjectTokenType; |
||||||
|
this.actorToken = actorToken; |
||||||
|
this.actorTokenType = actorTokenType; |
||||||
|
this.scopes = Collections.unmodifiableSet( |
||||||
|
scopes != null ? new HashSet<>(scopes) : Collections.emptySet()); |
||||||
|
} |
||||||
|
|
||||||
|
/** |
||||||
|
* Returns the list of resource URIs. |
||||||
|
* |
||||||
|
* @return the list of resource URIs |
||||||
|
*/ |
||||||
|
public List<String> getResources() { |
||||||
|
return this.resources; |
||||||
|
} |
||||||
|
|
||||||
|
/** |
||||||
|
* Returns the list of audience values. |
||||||
|
* |
||||||
|
* @return the list of audience values |
||||||
|
*/ |
||||||
|
public List<String> getAudiences() { |
||||||
|
return this.audiences; |
||||||
|
} |
||||||
|
|
||||||
|
/** |
||||||
|
* Returns the requested scope(s). |
||||||
|
* |
||||||
|
* @return the requested scope(s), or an empty {@code Set} if not available |
||||||
|
*/ |
||||||
|
public Set<String> getScopes() { |
||||||
|
return this.scopes; |
||||||
|
} |
||||||
|
|
||||||
|
/** |
||||||
|
* Returns the requested token type. |
||||||
|
* |
||||||
|
* @return the requested token type |
||||||
|
*/ |
||||||
|
public String getRequestedTokenType() { |
||||||
|
return this.requestedTokenType; |
||||||
|
} |
||||||
|
|
||||||
|
/** |
||||||
|
* Returns the subject token. |
||||||
|
* |
||||||
|
* @return the subject token |
||||||
|
*/ |
||||||
|
public String getSubjectToken() { |
||||||
|
return this.subjectToken; |
||||||
|
} |
||||||
|
|
||||||
|
/** |
||||||
|
* Returns the subject token type. |
||||||
|
* |
||||||
|
* @return the subject token type |
||||||
|
*/ |
||||||
|
public String getSubjectTokenType() { |
||||||
|
return this.subjectTokenType; |
||||||
|
} |
||||||
|
|
||||||
|
/** |
||||||
|
* Returns the actor token. |
||||||
|
* |
||||||
|
* @return the actor token |
||||||
|
*/ |
||||||
|
public String getActorToken() { |
||||||
|
return this.actorToken; |
||||||
|
} |
||||||
|
|
||||||
|
/** |
||||||
|
* Returns the actor token type. |
||||||
|
* |
||||||
|
* @return the actor token type |
||||||
|
*/ |
||||||
|
public String getActorTokenType() { |
||||||
|
return this.actorTokenType; |
||||||
|
} |
||||||
|
} |
||||||
@ -0,0 +1,46 @@ |
|||||||
|
/* |
||||||
|
* Copyright 2020-2024 the original author or authors. |
||||||
|
* |
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License"); |
||||||
|
* you may not use this file except in compliance with the License. |
||||||
|
* You may obtain a copy of the License at |
||||||
|
* |
||||||
|
* https://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
* |
||||||
|
* Unless required by applicable law or agreed to in writing, software |
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS, |
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||||
|
* See the License for the specific language governing permissions and |
||||||
|
* limitations under the License. |
||||||
|
*/ |
||||||
|
|
||||||
|
package org.springframework.security.oauth2.server.authorization.config.annotation.web.configurers; |
||||||
|
|
||||||
|
import java.util.Collections; |
||||||
|
import java.util.List; |
||||||
|
|
||||||
|
import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenContext; |
||||||
|
import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenCustomizer; |
||||||
|
import org.springframework.util.Assert; |
||||||
|
|
||||||
|
/** |
||||||
|
* @author Steve Riesenberg |
||||||
|
* @since 1.3 |
||||||
|
*/ |
||||||
|
final class DelegatingOAuth2TokenCustomizer<T extends OAuth2TokenContext> implements OAuth2TokenCustomizer<T> { |
||||||
|
|
||||||
|
private final List<OAuth2TokenCustomizer<T>> tokenCustomizers; |
||||||
|
|
||||||
|
DelegatingOAuth2TokenCustomizer(List<OAuth2TokenCustomizer<T>> tokenCustomizers) { |
||||||
|
Assert.notEmpty(tokenCustomizers, "tokenCustomizers cannot be empty"); |
||||||
|
this.tokenCustomizers = Collections.unmodifiableList(tokenCustomizers); |
||||||
|
} |
||||||
|
|
||||||
|
@Override |
||||||
|
public void customize(T context) { |
||||||
|
for (OAuth2TokenCustomizer<T> tokenCustomizer : this.tokenCustomizers) { |
||||||
|
tokenCustomizer.customize(context); |
||||||
|
} |
||||||
|
} |
||||||
|
|
||||||
|
} |
||||||
@ -0,0 +1,85 @@ |
|||||||
|
/* |
||||||
|
* Copyright 2020-2024 the original author or authors. |
||||||
|
* |
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License"); |
||||||
|
* you may not use this file except in compliance with the License. |
||||||
|
* You may obtain a copy of the License at |
||||||
|
* |
||||||
|
* https://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
* |
||||||
|
* Unless required by applicable law or agreed to in writing, software |
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS, |
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||||
|
* See the License for the specific language governing permissions and |
||||||
|
* limitations under the License. |
||||||
|
*/ |
||||||
|
|
||||||
|
package org.springframework.security.oauth2.server.authorization.config.annotation.web.configurers; |
||||||
|
|
||||||
|
import java.util.Collections; |
||||||
|
import java.util.HashMap; |
||||||
|
import java.util.List; |
||||||
|
import java.util.Map; |
||||||
|
|
||||||
|
import org.springframework.security.core.Authentication; |
||||||
|
import org.springframework.security.oauth2.core.AuthorizationGrantType; |
||||||
|
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2CompositeAuthenticationToken; |
||||||
|
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2TokenExchangeAuthenticationToken; |
||||||
|
import org.springframework.security.oauth2.server.authorization.token.JwtEncodingContext; |
||||||
|
import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenClaimNames; |
||||||
|
import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenClaimsContext; |
||||||
|
import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenContext; |
||||||
|
import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenCustomizer; |
||||||
|
import org.springframework.util.CollectionUtils; |
||||||
|
|
||||||
|
/** |
||||||
|
* @author Steve Riesenberg |
||||||
|
* @since 1.3 |
||||||
|
*/ |
||||||
|
final class OAuth2TokenExchangeTokenCustomizers { |
||||||
|
|
||||||
|
private static final AuthorizationGrantType TOKEN_EXCHANGE = new AuthorizationGrantType( |
||||||
|
"urn:ietf:params:oauth:grant-type:token-exchange"); |
||||||
|
|
||||||
|
private OAuth2TokenExchangeTokenCustomizers() { |
||||||
|
} |
||||||
|
|
||||||
|
static OAuth2TokenCustomizer<JwtEncodingContext> jwt() { |
||||||
|
return (context) -> context.getClaims().claims((claims) -> customize(context, claims)); |
||||||
|
} |
||||||
|
|
||||||
|
static OAuth2TokenCustomizer<OAuth2TokenClaimsContext> accessToken() { |
||||||
|
return (context) -> context.getClaims().claims((claims) -> customize(context, claims)); |
||||||
|
} |
||||||
|
|
||||||
|
private static void customize(OAuth2TokenContext context, Map<String, Object> claims) { |
||||||
|
if (!TOKEN_EXCHANGE.equals(context.getAuthorizationGrantType())) { |
||||||
|
return; |
||||||
|
} |
||||||
|
|
||||||
|
if (context.getAuthorizationGrant() instanceof OAuth2TokenExchangeAuthenticationToken tokenExchangeAuthentication) { |
||||||
|
// Customize the token claims when audience is present in the request
|
||||||
|
List<String> audience = tokenExchangeAuthentication.getAudiences(); |
||||||
|
if (!CollectionUtils.isEmpty(audience)) { |
||||||
|
claims.put(OAuth2TokenClaimNames.AUD, audience); |
||||||
|
} |
||||||
|
} |
||||||
|
|
||||||
|
// As per https://datatracker.ietf.org/doc/html/rfc8693#section-4.1,
|
||||||
|
// we handle a composite principal with an actor by adding an "act"
|
||||||
|
// claim with a "sub" claim of the actor.
|
||||||
|
//
|
||||||
|
// If more than one actor is present, we create a chain of delegation by
|
||||||
|
// nesting "act" claims.
|
||||||
|
if (context.getPrincipal() instanceof OAuth2CompositeAuthenticationToken compositeAuthenticationToken) { |
||||||
|
Map<String, Object> currentClaims = claims; |
||||||
|
for (Authentication actorPrincipal : compositeAuthenticationToken.getActors()) { |
||||||
|
Map<String, Object> actClaim = new HashMap<>(); |
||||||
|
actClaim.put("sub", actorPrincipal.getName()); |
||||||
|
currentClaims.put("act", Collections.unmodifiableMap(actClaim)); |
||||||
|
currentClaims = actClaim; |
||||||
|
} |
||||||
|
} |
||||||
|
} |
||||||
|
|
||||||
|
} |
||||||
@ -0,0 +1,44 @@ |
|||||||
|
/* |
||||||
|
* Copyright 2020-2024 the original author or authors. |
||||||
|
* |
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License"); |
||||||
|
* you may not use this file except in compliance with the License. |
||||||
|
* You may obtain a copy of the License at |
||||||
|
* |
||||||
|
* https://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
* |
||||||
|
* Unless required by applicable law or agreed to in writing, software |
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS, |
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||||
|
* See the License for the specific language governing permissions and |
||||||
|
* limitations under the License. |
||||||
|
*/ |
||||||
|
|
||||||
|
package org.springframework.security.oauth2.server.authorization.jackson2; |
||||||
|
|
||||||
|
import com.fasterxml.jackson.annotation.JsonAutoDetect; |
||||||
|
import com.fasterxml.jackson.annotation.JsonCreator; |
||||||
|
import com.fasterxml.jackson.annotation.JsonIgnoreProperties; |
||||||
|
import com.fasterxml.jackson.annotation.JsonProperty; |
||||||
|
import com.fasterxml.jackson.annotation.JsonTypeInfo; |
||||||
|
|
||||||
|
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ActorAuthenticationToken; |
||||||
|
|
||||||
|
/** |
||||||
|
* This mixin class is used to serialize/deserialize {@link OAuth2ActorAuthenticationToken}. |
||||||
|
* |
||||||
|
* @author Steve Riesenberg |
||||||
|
* @since 1.3 |
||||||
|
* @see OAuth2ActorAuthenticationToken |
||||||
|
*/ |
||||||
|
@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) |
||||||
|
@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE, |
||||||
|
isGetterVisibility = JsonAutoDetect.Visibility.NONE, creatorVisibility = JsonAutoDetect.Visibility.NONE) |
||||||
|
@JsonIgnoreProperties(ignoreUnknown = true) |
||||||
|
abstract class OAuth2ActorAuthenticationTokenMixin { |
||||||
|
|
||||||
|
@JsonCreator |
||||||
|
OAuth2ActorAuthenticationTokenMixin(@JsonProperty("name") String name) { |
||||||
|
} |
||||||
|
|
||||||
|
} |
||||||
@ -0,0 +1,48 @@ |
|||||||
|
/* |
||||||
|
* Copyright 2020-2024 the original author or authors. |
||||||
|
* |
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License"); |
||||||
|
* you may not use this file except in compliance with the License. |
||||||
|
* You may obtain a copy of the License at |
||||||
|
* |
||||||
|
* https://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
* |
||||||
|
* Unless required by applicable law or agreed to in writing, software |
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS, |
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||||
|
* See the License for the specific language governing permissions and |
||||||
|
* limitations under the License. |
||||||
|
*/ |
||||||
|
|
||||||
|
package org.springframework.security.oauth2.server.authorization.jackson2; |
||||||
|
|
||||||
|
import java.util.List; |
||||||
|
|
||||||
|
import com.fasterxml.jackson.annotation.JsonAutoDetect; |
||||||
|
import com.fasterxml.jackson.annotation.JsonCreator; |
||||||
|
import com.fasterxml.jackson.annotation.JsonIgnoreProperties; |
||||||
|
import com.fasterxml.jackson.annotation.JsonProperty; |
||||||
|
import com.fasterxml.jackson.annotation.JsonTypeInfo; |
||||||
|
|
||||||
|
import org.springframework.security.core.Authentication; |
||||||
|
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2CompositeAuthenticationToken; |
||||||
|
|
||||||
|
/** |
||||||
|
* This mixin class is used to serialize/deserialize {@link OAuth2CompositeAuthenticationToken}. |
||||||
|
* |
||||||
|
* @author Steve Riesenberg |
||||||
|
* @since 1.3 |
||||||
|
* @see OAuth2CompositeAuthenticationToken |
||||||
|
*/ |
||||||
|
@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) |
||||||
|
@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE, |
||||||
|
isGetterVisibility = JsonAutoDetect.Visibility.NONE, creatorVisibility = JsonAutoDetect.Visibility.NONE) |
||||||
|
@JsonIgnoreProperties(ignoreUnknown = true) |
||||||
|
abstract class OAuth2CompositeAuthenticationTokenMixin { |
||||||
|
|
||||||
|
@JsonCreator |
||||||
|
OAuth2CompositeAuthenticationTokenMixin(@JsonProperty("subject") Authentication subject, |
||||||
|
@JsonProperty("actors") List<Authentication> actors) { |
||||||
|
} |
||||||
|
|
||||||
|
} |
||||||
@ -0,0 +1,241 @@ |
|||||||
|
/* |
||||||
|
* Copyright 2020-2024 the original author or authors. |
||||||
|
* |
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License"); |
||||||
|
* you may not use this file except in compliance with the License. |
||||||
|
* You may obtain a copy of the License at |
||||||
|
* |
||||||
|
* https://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
* |
||||||
|
* Unless required by applicable law or agreed to in writing, software |
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS, |
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||||
|
* See the License for the specific language governing permissions and |
||||||
|
* limitations under the License. |
||||||
|
*/ |
||||||
|
package org.springframework.security.oauth2.server.authorization.web.authentication; |
||||||
|
|
||||||
|
import java.net.URI; |
||||||
|
import java.net.URISyntaxException; |
||||||
|
import java.util.Arrays; |
||||||
|
import java.util.Collections; |
||||||
|
import java.util.HashMap; |
||||||
|
import java.util.HashSet; |
||||||
|
import java.util.List; |
||||||
|
import java.util.Map; |
||||||
|
import java.util.Set; |
||||||
|
|
||||||
|
import jakarta.servlet.http.HttpServletRequest; |
||||||
|
|
||||||
|
import org.springframework.lang.Nullable; |
||||||
|
import org.springframework.security.core.Authentication; |
||||||
|
import org.springframework.security.core.context.SecurityContextHolder; |
||||||
|
import org.springframework.security.oauth2.core.AuthorizationGrantType; |
||||||
|
import org.springframework.security.oauth2.core.OAuth2AuthenticationException; |
||||||
|
import org.springframework.security.oauth2.core.OAuth2Error; |
||||||
|
import org.springframework.security.oauth2.core.OAuth2ErrorCodes; |
||||||
|
import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames; |
||||||
|
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2TokenExchangeAuthenticationToken; |
||||||
|
import org.springframework.security.oauth2.server.authorization.web.OAuth2TokenEndpointFilter; |
||||||
|
import org.springframework.security.web.authentication.AuthenticationConverter; |
||||||
|
import org.springframework.util.CollectionUtils; |
||||||
|
import org.springframework.util.MultiValueMap; |
||||||
|
import org.springframework.util.StringUtils; |
||||||
|
|
||||||
|
/** |
||||||
|
* Attempts to extract an Access Token Request from {@link HttpServletRequest} for the OAuth 2.0 Token Exchange Grant |
||||||
|
* and then converts it to an {@link OAuth2TokenExchangeAuthenticationToken} used for authenticating the authorization grant. |
||||||
|
* |
||||||
|
* @author Steve Riesenberg |
||||||
|
* @since 1.3 |
||||||
|
* @see AuthenticationConverter |
||||||
|
* @see OAuth2TokenExchangeAuthenticationToken |
||||||
|
* @see OAuth2TokenEndpointFilter |
||||||
|
*/ |
||||||
|
public final class OAuth2TokenExchangeAuthenticationConverter implements AuthenticationConverter { |
||||||
|
|
||||||
|
private static final String TOKEN_TYPE_IDENTIFIERS_URI = "https://datatracker.ietf.org/doc/html/rfc8693#section-3"; |
||||||
|
|
||||||
|
private static final AuthorizationGrantType TOKEN_EXCHANGE = new AuthorizationGrantType( |
||||||
|
"urn:ietf:params:oauth:grant-type:token-exchange"); |
||||||
|
|
||||||
|
private static final String AUDIENCE = "audience"; |
||||||
|
|
||||||
|
private static final String RESOURCE = "resource"; |
||||||
|
|
||||||
|
private static final String REQUESTED_TOKEN_TYPE = "requested_token_type"; |
||||||
|
|
||||||
|
private static final String SUBJECT_TOKEN = "subject_token"; |
||||||
|
|
||||||
|
private static final String SUBJECT_TOKEN_TYPE = "subject_token_type"; |
||||||
|
|
||||||
|
private static final String ACTOR_TOKEN = "actor_token"; |
||||||
|
|
||||||
|
private static final String ACTOR_TOKEN_TYPE = "actor_token_type"; |
||||||
|
|
||||||
|
private static final String ACCESS_TOKEN_TYPE_VALUE = "urn:ietf:params:oauth:token-type:access_token"; |
||||||
|
|
||||||
|
private static final String JWT_TOKEN_TYPE_VALUE = "urn:ietf:params:oauth:token-type:jwt"; |
||||||
|
|
||||||
|
private static final Set<String> SUPPORTED_TOKEN_TYPES = Set.of(ACCESS_TOKEN_TYPE_VALUE, JWT_TOKEN_TYPE_VALUE); |
||||||
|
|
||||||
|
@Nullable |
||||||
|
@Override |
||||||
|
public Authentication convert(HttpServletRequest request) { |
||||||
|
MultiValueMap<String, String> parameters = OAuth2EndpointUtils.getFormParameters(request); |
||||||
|
|
||||||
|
// grant_type (REQUIRED)
|
||||||
|
String grantType = parameters.getFirst(OAuth2ParameterNames.GRANT_TYPE); |
||||||
|
if (!TOKEN_EXCHANGE.getValue().equals(grantType)) { |
||||||
|
return null; |
||||||
|
} |
||||||
|
|
||||||
|
Authentication clientPrincipal = SecurityContextHolder.getContext().getAuthentication(); |
||||||
|
|
||||||
|
// resource (OPTIONAL)
|
||||||
|
List<String> resources = parameters.getOrDefault(RESOURCE, Collections.emptyList()); |
||||||
|
if (!CollectionUtils.isEmpty(resources)) { |
||||||
|
for (String resource : resources) { |
||||||
|
if (!isValidUri(resource)) { |
||||||
|
OAuth2EndpointUtils.throwError( |
||||||
|
OAuth2ErrorCodes.INVALID_REQUEST, |
||||||
|
RESOURCE, |
||||||
|
OAuth2EndpointUtils.ACCESS_TOKEN_REQUEST_ERROR_URI); |
||||||
|
} |
||||||
|
} |
||||||
|
} |
||||||
|
|
||||||
|
// audience (OPTIONAL)
|
||||||
|
List<String> audiences = parameters.getOrDefault(AUDIENCE, Collections.emptyList()); |
||||||
|
|
||||||
|
// scope (OPTIONAL)
|
||||||
|
String scope = parameters.getFirst(OAuth2ParameterNames.SCOPE); |
||||||
|
if (StringUtils.hasText(scope) && |
||||||
|
parameters.get(OAuth2ParameterNames.SCOPE).size() != 1) { |
||||||
|
OAuth2EndpointUtils.throwError( |
||||||
|
OAuth2ErrorCodes.INVALID_REQUEST, |
||||||
|
OAuth2ParameterNames.SCOPE, |
||||||
|
OAuth2EndpointUtils.ACCESS_TOKEN_REQUEST_ERROR_URI); |
||||||
|
} |
||||||
|
|
||||||
|
Set<String> requestedScopes = null; |
||||||
|
if (StringUtils.hasText(scope)) { |
||||||
|
requestedScopes = new HashSet<>( |
||||||
|
Arrays.asList(StringUtils.delimitedListToStringArray(scope, " "))); |
||||||
|
} |
||||||
|
|
||||||
|
// requested_token_type (OPTIONAL)
|
||||||
|
String requestedTokenType = parameters.getFirst(REQUESTED_TOKEN_TYPE); |
||||||
|
if (StringUtils.hasText(requestedTokenType)) { |
||||||
|
if (parameters.get(REQUESTED_TOKEN_TYPE).size() != 1) { |
||||||
|
OAuth2EndpointUtils.throwError( |
||||||
|
OAuth2ErrorCodes.INVALID_REQUEST, |
||||||
|
REQUESTED_TOKEN_TYPE, |
||||||
|
OAuth2EndpointUtils.ACCESS_TOKEN_REQUEST_ERROR_URI); |
||||||
|
} |
||||||
|
|
||||||
|
validateTokenType(REQUESTED_TOKEN_TYPE, requestedTokenType); |
||||||
|
} else { |
||||||
|
requestedTokenType = ACCESS_TOKEN_TYPE_VALUE; |
||||||
|
} |
||||||
|
|
||||||
|
// subject_token (REQUIRED)
|
||||||
|
String subjectToken = parameters.getFirst(SUBJECT_TOKEN); |
||||||
|
if (!StringUtils.hasText(subjectToken) || |
||||||
|
parameters.get(SUBJECT_TOKEN).size() != 1) { |
||||||
|
OAuth2EndpointUtils.throwError( |
||||||
|
OAuth2ErrorCodes.INVALID_REQUEST, |
||||||
|
SUBJECT_TOKEN, |
||||||
|
OAuth2EndpointUtils.ACCESS_TOKEN_REQUEST_ERROR_URI); |
||||||
|
} |
||||||
|
|
||||||
|
// subject_token_type (REQUIRED)
|
||||||
|
String subjectTokenType = parameters.getFirst(SUBJECT_TOKEN_TYPE); |
||||||
|
if (!StringUtils.hasText(subjectTokenType) || |
||||||
|
parameters.get(SUBJECT_TOKEN_TYPE).size() != 1) { |
||||||
|
OAuth2EndpointUtils.throwError( |
||||||
|
OAuth2ErrorCodes.INVALID_REQUEST, |
||||||
|
SUBJECT_TOKEN_TYPE, |
||||||
|
OAuth2EndpointUtils.ACCESS_TOKEN_REQUEST_ERROR_URI); |
||||||
|
} else { |
||||||
|
validateTokenType(SUBJECT_TOKEN_TYPE, subjectTokenType); |
||||||
|
} |
||||||
|
|
||||||
|
// actor_token (OPTIONAL, REQUIRED if actor_token_type is provided)
|
||||||
|
String actorToken = parameters.getFirst(ACTOR_TOKEN); |
||||||
|
if (StringUtils.hasText(actorToken) && |
||||||
|
parameters.get(ACTOR_TOKEN).size() != 1) { |
||||||
|
OAuth2EndpointUtils.throwError( |
||||||
|
OAuth2ErrorCodes.INVALID_REQUEST, |
||||||
|
ACTOR_TOKEN, |
||||||
|
OAuth2EndpointUtils.ACCESS_TOKEN_REQUEST_ERROR_URI); |
||||||
|
} |
||||||
|
|
||||||
|
// actor_token_type (OPTIONAL, REQUIRED if actor_token is provided)
|
||||||
|
String actorTokenType = parameters.getFirst(ACTOR_TOKEN_TYPE); |
||||||
|
if (StringUtils.hasText(actorTokenType)) { |
||||||
|
if (parameters.get(ACTOR_TOKEN_TYPE).size() != 1) { |
||||||
|
OAuth2EndpointUtils.throwError( |
||||||
|
OAuth2ErrorCodes.INVALID_REQUEST, |
||||||
|
ACTOR_TOKEN_TYPE, |
||||||
|
OAuth2EndpointUtils.ACCESS_TOKEN_REQUEST_ERROR_URI); |
||||||
|
} |
||||||
|
|
||||||
|
validateTokenType(ACTOR_TOKEN_TYPE, actorTokenType); |
||||||
|
} |
||||||
|
|
||||||
|
if (!StringUtils.hasText(actorToken) && StringUtils.hasText(actorTokenType)) { |
||||||
|
OAuth2EndpointUtils.throwError( |
||||||
|
OAuth2ErrorCodes.INVALID_REQUEST, |
||||||
|
ACTOR_TOKEN, |
||||||
|
OAuth2EndpointUtils.ACCESS_TOKEN_REQUEST_ERROR_URI); |
||||||
|
} else if (StringUtils.hasText(actorToken) && !StringUtils.hasText(actorTokenType)) { |
||||||
|
OAuth2EndpointUtils.throwError( |
||||||
|
OAuth2ErrorCodes.INVALID_REQUEST, |
||||||
|
ACTOR_TOKEN_TYPE, |
||||||
|
OAuth2EndpointUtils.ACCESS_TOKEN_REQUEST_ERROR_URI); |
||||||
|
} |
||||||
|
|
||||||
|
Map<String, Object> additionalParameters = new HashMap<>(); |
||||||
|
parameters.forEach((key, value) -> { |
||||||
|
if (!key.equals(OAuth2ParameterNames.GRANT_TYPE) && |
||||||
|
!key.equals(RESOURCE) && |
||||||
|
!key.equals(AUDIENCE) && |
||||||
|
!key.equals(REQUESTED_TOKEN_TYPE) && |
||||||
|
!key.equals(SUBJECT_TOKEN) && |
||||||
|
!key.equals(SUBJECT_TOKEN_TYPE) && |
||||||
|
!key.equals(ACTOR_TOKEN) && |
||||||
|
!key.equals(ACTOR_TOKEN_TYPE) && |
||||||
|
!key.equals(OAuth2ParameterNames.SCOPE)) { |
||||||
|
additionalParameters.put(key, (value.size() == 1) ? value.get(0) : value.toArray(new String[0])); |
||||||
|
} |
||||||
|
}); |
||||||
|
|
||||||
|
return new OAuth2TokenExchangeAuthenticationToken(resources, audiences, requestedScopes, requestedTokenType, |
||||||
|
subjectToken, subjectTokenType, actorToken, actorTokenType, clientPrincipal, additionalParameters); |
||||||
|
} |
||||||
|
|
||||||
|
private static void validateTokenType(String parameterName, String tokenTypeValue) { |
||||||
|
if (!SUPPORTED_TOKEN_TYPES.contains(tokenTypeValue)) { |
||||||
|
OAuth2Error error = new OAuth2Error(OAuth2ErrorCodes.UNSUPPORTED_TOKEN_TYPE, |
||||||
|
String.format("OAuth 2.0 Token Exchange parameter: %s", parameterName), TOKEN_TYPE_IDENTIFIERS_URI); |
||||||
|
// @formatter:off
|
||||||
|
String message = String.format( |
||||||
|
"OAuth 2.0 Token Exchange parameter: %s - " + |
||||||
|
"The provided value is not supported by this authorization server. " + |
||||||
|
"Supported values are %s and %s.", |
||||||
|
parameterName, ACCESS_TOKEN_TYPE_VALUE, JWT_TOKEN_TYPE_VALUE); |
||||||
|
// @formatter:on
|
||||||
|
throw new OAuth2AuthenticationException(error, message); |
||||||
|
} |
||||||
|
} |
||||||
|
|
||||||
|
private static boolean isValidUri(String uri) { |
||||||
|
try { |
||||||
|
URI validUri = new URI(uri); |
||||||
|
return validUri.isAbsolute() && validUri.getFragment() == null; |
||||||
|
} catch (URISyntaxException ex) { |
||||||
|
return false; |
||||||
|
} |
||||||
|
} |
||||||
|
} |
||||||
Loading…
Reference in new issue