GitHub-Spring
/
spring-authorization-server
mirror of https://github.com/spring-projects/spring-authorization-server.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Scope "openid" should be in access token response scope 

- Still does not require user consent

Closes gh-252
pull/254/head
Joshua Casey 5 years ago committed by Joe Grandja
parent
1962b9c5b7
commit
3b0938883b
2 changed files with 4 additions and 14 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 14
      oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeAuthenticationProvider.java
  2. 4
      oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeAuthenticationProviderTests.java

14
oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeAuthenticationProvider.java
Unescape View File

@ -18,7 +18,6 @@ package org.springframework.security.oauth2.server.authorization.authentication;
import java.security.Principal; import java.security.Principal;
import java.util.Collections; import java.util.Collections;
import java.util.HashMap; import java.util.HashMap;
import java.util.HashSet;
import java.util.Map; import java.util.Map;
import java.util.Set; import java.util.Set;
@ -147,7 +146,7 @@ public class OAuth2AuthorizationCodeAuthenticationProvider implements Authentica
JoseHeader.Builder headersBuilder = JwtUtils.headers(); JoseHeader.Builder headersBuilder = JwtUtils.headers();
JwtClaimsSet.Builder claimsBuilder = JwtUtils.accessTokenClaims( JwtClaimsSet.Builder claimsBuilder = JwtUtils.accessTokenClaims(
registeredClient, issuer, authorization.getPrincipalName(), registeredClient, issuer, authorization.getPrincipalName(),
excludeOpenidIfNecessary(authorizedScopes)); authorizedScopes);
// @formatter:off // @formatter:off
JwtEncodingContext context = JwtEncodingContext.with(headersBuilder, claimsBuilder) JwtEncodingContext context = JwtEncodingContext.with(headersBuilder, claimsBuilder)
@ -169,7 +168,7 @@ public class OAuth2AuthorizationCodeAuthenticationProvider implements Authentica
OAuth2AccessToken accessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER, OAuth2AccessToken accessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER,
jwtAccessToken.getTokenValue(), jwtAccessToken.getIssuedAt(), jwtAccessToken.getTokenValue(), jwtAccessToken.getIssuedAt(),
jwtAccessToken.getExpiresAt(), excludeOpenidIfNecessary(authorizedScopes)); jwtAccessToken.getExpiresAt(), authorizedScopes);
OAuth2RefreshToken refreshToken = null; OAuth2RefreshToken refreshToken = null;
if (registeredClient.getAuthorizationGrantTypes().contains(AuthorizationGrantType.REFRESH_TOKEN)) { if (registeredClient.getAuthorizationGrantTypes().contains(AuthorizationGrantType.REFRESH_TOKEN)) {
@ -245,15 +244,6 @@ public class OAuth2AuthorizationCodeAuthenticationProvider implements Authentica
registeredClient, clientPrincipal, accessToken, refreshToken, additionalParameters); registeredClient, clientPrincipal, accessToken, refreshToken, additionalParameters);
} }
private static Set<String> excludeOpenidIfNecessary(Set<String> scopes) {
if (!scopes.contains(OidcScopes.OPENID)) {
return scopes;
}
scopes = new HashSet<>(scopes);
scopes.remove(OidcScopes.OPENID);
return scopes;
}
@Override @Override
public boolean supports(Class<?> authentication) { public boolean supports(Class<?> authentication) {
return OAuth2AuthorizationCodeAuthenticationToken.class.isAssignableFrom(authentication); return OAuth2AuthorizationCodeAuthenticationToken.class.isAssignableFrom(authentication);

4
oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeAuthenticationProviderTests.java
Unescape View File

@ -311,7 +311,8 @@ public class OAuth2AuthorizationCodeAuthenticationProviderTests {
assertThat(accessTokenContext.getClaims()).isNotNull(); assertThat(accessTokenContext.getClaims()).isNotNull();
Map<String, Object> claims = new HashMap<>(); Map<String, Object> claims = new HashMap<>();
accessTokenContext.getClaims().claims(claims::putAll); accessTokenContext.getClaims().claims(claims::putAll);
assertThat(claims.containsKey(OidcScopes.OPENID)).isFalse(); assertThat(claims).flatExtracting(OAuth2ParameterNames.SCOPE)
.containsExactlyInAnyOrder(OidcScopes.OPENID, "scope1");
// ID Token context // ID Token context
JwtEncodingContext idTokenContext = jwtEncodingContextCaptor.getAllValues().get(1); JwtEncodingContext idTokenContext = jwtEncodingContextCaptor.getAllValues().get(1);
assertThat(idTokenContext.getRegisteredClient()).isEqualTo(registeredClient); assertThat(idTokenContext.getRegisteredClient()).isEqualTo(registeredClient);
@ -335,7 +336,6 @@ public class OAuth2AuthorizationCodeAuthenticationProviderTests {
assertThat(accessTokenAuthentication.getPrincipal()).isEqualTo(clientPrincipal); assertThat(accessTokenAuthentication.getPrincipal()).isEqualTo(clientPrincipal);
assertThat(accessTokenAuthentication.getAccessToken()).isEqualTo(updatedAuthorization.getAccessToken().getToken()); assertThat(accessTokenAuthentication.getAccessToken()).isEqualTo(updatedAuthorization.getAccessToken().getToken());
Set<String> accessTokenScopes = new HashSet<>(updatedAuthorization.getAttribute(OAuth2Authorization.AUTHORIZED_SCOPE_ATTRIBUTE_NAME)); Set<String> accessTokenScopes = new HashSet<>(updatedAuthorization.getAttribute(OAuth2Authorization.AUTHORIZED_SCOPE_ATTRIBUTE_NAME));
accessTokenScopes.remove(OidcScopes.OPENID);
assertThat(accessTokenAuthentication.getAccessToken().getScopes()).isEqualTo(accessTokenScopes); assertThat(accessTokenAuthentication.getAccessToken().getScopes()).isEqualTo(accessTokenScopes);
assertThat(accessTokenAuthentication.getRefreshToken()).isNotNull(); assertThat(accessTokenAuthentication.getRefreshToken()).isNotNull();
assertThat(accessTokenAuthentication.getRefreshToken()).isEqualTo(updatedAuthorization.getRefreshToken().getToken()); assertThat(accessTokenAuthentication.getRefreshToken()).isEqualTo(updatedAuthorization.getRefreshToken().getToken());

Write Preview
Loading…
Cancel
Save