From 9addcf65b3d7dc9896745ed522c05989aacc75a9 Mon Sep 17 00:00:00 2001 From: Joe Grandja <10884212+jgrandja@users.noreply.github.com> Date: Fri, 19 Jul 2024 14:53:05 -0400 Subject: [PATCH] AuthorizationServerContext is accessible in custom consent controller Closes gh-1668 --- ...OAuth2AuthorizationEndpointConfigurer.java | 17 ++++++---- .../OAuth2AuthorizationCodeGrantTests.java | 33 +++++++++++++++++++ 2 files changed, 43 insertions(+), 7 deletions(-) diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2AuthorizationEndpointConfigurer.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2AuthorizationEndpointConfigurer.java index 595bc797..5811dcaa 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2AuthorizationEndpointConfigurer.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2AuthorizationEndpointConfigurer.java @@ -1,5 +1,5 @@ /* - * Copyright 2020-2023 the original author or authors. + * Copyright 2020-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -237,12 +237,15 @@ public final class OAuth2AuthorizationEndpointConfigurer extends AbstractOAuth2C void init(HttpSecurity httpSecurity) { AuthorizationServerSettings authorizationServerSettings = OAuth2ConfigurerUtils .getAuthorizationServerSettings(httpSecurity); - this.requestMatcher = new OrRequestMatcher( - new AntPathRequestMatcher(authorizationServerSettings.getAuthorizationEndpoint(), - HttpMethod.GET.name()), - new AntPathRequestMatcher(authorizationServerSettings.getAuthorizationEndpoint(), - HttpMethod.POST.name())); - + List requestMatchers = new ArrayList<>(); + requestMatchers.add(new AntPathRequestMatcher(authorizationServerSettings.getAuthorizationEndpoint(), + HttpMethod.GET.name())); + requestMatchers.add(new AntPathRequestMatcher(authorizationServerSettings.getAuthorizationEndpoint(), + HttpMethod.POST.name())); + if (StringUtils.hasText(this.consentPage)) { + requestMatchers.add(new AntPathRequestMatcher(this.consentPage)); + } + this.requestMatcher = new OrRequestMatcher(requestMatchers); List authenticationProviders = createDefaultAuthenticationProviders(httpSecurity); if (!this.authenticationProviders.isEmpty()) { authenticationProviders.addAll(0, this.authenticationProviders); diff --git a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2AuthorizationCodeGrantTests.java b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2AuthorizationCodeGrantTests.java index d2795a5b..267bbd2c 100644 --- a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2AuthorizationCodeGrantTests.java +++ b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2AuthorizationCodeGrantTests.java @@ -104,6 +104,7 @@ import org.springframework.security.oauth2.server.authorization.client.Registere import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository; import org.springframework.security.oauth2.server.authorization.client.TestRegisteredClients; import org.springframework.security.oauth2.server.authorization.config.annotation.web.configuration.OAuth2AuthorizationServerConfiguration; +import org.springframework.security.oauth2.server.authorization.context.AuthorizationServerContextHolder; import org.springframework.security.oauth2.server.authorization.jackson2.TestingAuthenticationTokenMixin; import org.springframework.security.oauth2.server.authorization.settings.AuthorizationServerSettings; import org.springframework.security.oauth2.server.authorization.settings.ClientSettings; @@ -125,11 +126,14 @@ import org.springframework.security.web.authentication.AuthenticationSuccessHand import org.springframework.security.web.context.HttpSessionSecurityContextRepository; import org.springframework.security.web.context.SecurityContextRepository; import org.springframework.security.web.util.matcher.RequestMatcher; +import org.springframework.stereotype.Controller; import org.springframework.test.web.servlet.MockMvc; import org.springframework.test.web.servlet.MvcResult; import org.springframework.util.LinkedMultiValueMap; import org.springframework.util.MultiValueMap; import org.springframework.util.StringUtils; +import org.springframework.web.bind.annotation.GetMapping; +import org.springframework.web.bind.annotation.ResponseBody; import org.springframework.web.util.UriComponents; import org.springframework.web.util.UriComponentsBuilder; import org.springframework.web.util.UriUtils; @@ -746,6 +750,15 @@ public class OAuth2AuthorizationCodeGrantTests { assertThat(authorization).isNotNull(); } + // gh-1668 + @Test + public void requestWhenCustomConsentPageConfiguredThenAuthorizationServerContextIsAccessible() throws Exception { + this.spring.register(AuthorizationServerConfigurationCustomConsentPageAccessAuthorizationServerContext.class) + .autowire(); + + this.mvc.perform(get(consentPage).with(user("user"))).andExpect(status().isOk()); + } + @Test public void requestWhenCustomConsentCustomizerConfiguredThenUsed() throws Exception { this.spring.register(AuthorizationServerConfigurationCustomConsentRequest.class).autowire(); @@ -1166,6 +1179,26 @@ public class OAuth2AuthorizationCodeGrantTests { } + @EnableWebSecurity + @Configuration(proxyBeanMethods = false) + static class AuthorizationServerConfigurationCustomConsentPageAccessAuthorizationServerContext + extends AuthorizationServerConfigurationCustomConsentPage { + + @Controller + class ConsentController { + + @GetMapping("/oauth2/consent") + @ResponseBody + String consent() { + // Ensure the AuthorizationServerContext is accessible + AuthorizationServerContextHolder.getContext().getIssuer(); + return ""; + } + + } + + } + @EnableWebSecurity @Configuration(proxyBeanMethods = false) static class AuthorizationServerConfigurationCustomConsentRequest extends AuthorizationServerConfiguration {