From 890b1ef0ed162c26e628b2962ee2a0dacc54f824 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Lindstr=C3=B6m?= Date: Wed, 31 May 2023 20:18:35 +0200 Subject: [PATCH 1/2] Fix to save all values for multi-valued request parameters Fixes gh-1250 --- ...uth2AuthorizationCodeAuthenticationConverter.java | 2 +- ...horizationCodeRequestAuthenticationConverter.java | 2 +- ...2AuthorizationConsentAuthenticationConverter.java | 2 +- ...uth2ClientCredentialsAuthenticationConverter.java | 2 +- .../web/authentication/OAuth2EndpointUtils.java | 8 +++++--- .../OAuth2RefreshTokenAuthenticationConverter.java | 2 +- ...th2TokenIntrospectionAuthenticationConverter.java | 2 +- .../PublicClientAuthenticationConverter.java | 8 +++++++- .../web/OAuth2AuthorizationEndpointFilterTests.java | 8 ++++++++ .../web/OAuth2TokenEndpointFilterTests.java | 12 +++++++++--- .../OAuth2TokenIntrospectionEndpointFilterTests.java | 4 ++-- ...lientSecretBasicAuthenticationConverterTests.java | 4 +++- ...ClientSecretPostAuthenticationConverterTests.java | 4 +++- ...tClientAssertionAuthenticationConverterTests.java | 6 +++++- .../PublicClientAuthenticationConverterTests.java | 6 +++++- 15 files changed, 53 insertions(+), 19 deletions(-) diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2AuthorizationCodeAuthenticationConverter.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2AuthorizationCodeAuthenticationConverter.java index bd534891..94f520c3 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2AuthorizationCodeAuthenticationConverter.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2AuthorizationCodeAuthenticationConverter.java @@ -84,7 +84,7 @@ public final class OAuth2AuthorizationCodeAuthenticationConverter implements Aut !key.equals(OAuth2ParameterNames.CLIENT_ID) && !key.equals(OAuth2ParameterNames.CODE) && !key.equals(OAuth2ParameterNames.REDIRECT_URI)) { - additionalParameters.put(key, value.get(0)); + additionalParameters.put(key, value.size() == 1 ? value.get(0) : value.toArray(new String[0])); } }); diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2AuthorizationCodeRequestAuthenticationConverter.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2AuthorizationCodeRequestAuthenticationConverter.java index d8b6a55b..250c80a4 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2AuthorizationCodeRequestAuthenticationConverter.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2AuthorizationCodeRequestAuthenticationConverter.java @@ -138,7 +138,7 @@ public final class OAuth2AuthorizationCodeRequestAuthenticationConverter impleme !key.equals(OAuth2ParameterNames.REDIRECT_URI) && !key.equals(OAuth2ParameterNames.SCOPE) && !key.equals(OAuth2ParameterNames.STATE)) { - additionalParameters.put(key, value.get(0)); + additionalParameters.put(key, value.size() == 1 ? value.get(0) : value.toArray(new String[0])); } }); diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2AuthorizationConsentAuthenticationConverter.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2AuthorizationConsentAuthenticationConverter.java index 6c618507..574cf5b7 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2AuthorizationConsentAuthenticationConverter.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2AuthorizationConsentAuthenticationConverter.java @@ -93,7 +93,7 @@ public final class OAuth2AuthorizationConsentAuthenticationConverter implements if (!key.equals(OAuth2ParameterNames.CLIENT_ID) && !key.equals(OAuth2ParameterNames.STATE) && !key.equals(OAuth2ParameterNames.SCOPE)) { - additionalParameters.put(key, value.get(0)); + additionalParameters.put(key, value.size() == 1 ? value.get(0) : value.toArray(new String[0])); } }); diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2ClientCredentialsAuthenticationConverter.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2ClientCredentialsAuthenticationConverter.java index 5bf12514..a0ec4179 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2ClientCredentialsAuthenticationConverter.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2ClientCredentialsAuthenticationConverter.java @@ -79,7 +79,7 @@ public final class OAuth2ClientCredentialsAuthenticationConverter implements Aut parameters.forEach((key, value) -> { if (!key.equals(OAuth2ParameterNames.GRANT_TYPE) && !key.equals(OAuth2ParameterNames.SCOPE)) { - additionalParameters.put(key, value.get(0)); + additionalParameters.put(key, value.size() == 1 ? value.get(0) : value.toArray(new String[0])); } }); diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2EndpointUtils.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2EndpointUtils.java index 78f2e411..b6d94e36 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2EndpointUtils.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2EndpointUtils.java @@ -16,8 +16,8 @@ package org.springframework.security.oauth2.server.authorization.web.authentication; import java.util.Collections; -import java.util.HashMap; import java.util.Map; +import java.util.stream.Collectors; import javax.servlet.http.HttpServletRequest; @@ -58,11 +58,13 @@ final class OAuth2EndpointUtils { if (!matchesAuthorizationCodeGrantRequest(request)) { return Collections.emptyMap(); } - Map parameters = new HashMap<>(getParameters(request).toSingleValueMap()); + MultiValueMap parameters = getParameters(request); for (String exclusion : exclusions) { parameters.remove(exclusion); } - return parameters; + return parameters.entrySet().stream() + .collect(Collectors.toMap(Map.Entry::getKey, + e -> e.getValue().size() == 1 ? e.getValue().get(0) : e.getValue().toArray(new String[0]))); } static boolean matchesAuthorizationCodeGrantRequest(HttpServletRequest request) { diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2RefreshTokenAuthenticationConverter.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2RefreshTokenAuthenticationConverter.java index 20882163..e4d8a69b 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2RefreshTokenAuthenticationConverter.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2RefreshTokenAuthenticationConverter.java @@ -90,7 +90,7 @@ public final class OAuth2RefreshTokenAuthenticationConverter implements Authenti if (!key.equals(OAuth2ParameterNames.GRANT_TYPE) && !key.equals(OAuth2ParameterNames.REFRESH_TOKEN) && !key.equals(OAuth2ParameterNames.SCOPE)) { - additionalParameters.put(key, value.get(0)); + additionalParameters.put(key, value.size() == 1 ? value.get(0) : value.toArray(new String[0])); } }); diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2TokenIntrospectionAuthenticationConverter.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2TokenIntrospectionAuthenticationConverter.java index 94a3dbd5..202c11ec 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2TokenIntrospectionAuthenticationConverter.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2TokenIntrospectionAuthenticationConverter.java @@ -69,7 +69,7 @@ public final class OAuth2TokenIntrospectionAuthenticationConverter implements Au parameters.forEach((key, value) -> { if (!key.equals(OAuth2ParameterNames.TOKEN) && !key.equals(OAuth2ParameterNames.TOKEN_TYPE_HINT)) { - additionalParameters.put(key, value.get(0)); + additionalParameters.put(key, value.size() == 1 ? value.get(0) : value.toArray(new String[0])); } }); diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/PublicClientAuthenticationConverter.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/PublicClientAuthenticationConverter.java index 488b8524..d48e0d82 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/PublicClientAuthenticationConverter.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/PublicClientAuthenticationConverter.java @@ -16,6 +16,7 @@ package org.springframework.security.oauth2.server.authorization.web.authentication; import java.util.HashMap; +import java.util.Map; import javax.servlet.http.HttpServletRequest; @@ -68,7 +69,12 @@ public final class PublicClientAuthenticationConverter implements Authentication parameters.remove(OAuth2ParameterNames.CLIENT_ID); + Map additionalParameters = new HashMap<>(); + parameters.forEach((key, value) -> { + additionalParameters.put(key, value.size() == 1 ? value.get(0) : value.toArray(new String[0])); + }); + return new OAuth2ClientAuthenticationToken(clientId, ClientAuthenticationMethod.NONE, null, - new HashMap<>(parameters.toSingleValueMap())); + additionalParameters); } } diff --git a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilterTests.java b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilterTests.java index 6dfd58ce..2b27f839 100644 --- a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilterTests.java +++ b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilterTests.java @@ -556,6 +556,8 @@ public class OAuth2AuthorizationEndpointFilterTests { .thenReturn(authorizationCodeRequestAuthenticationResult); MockHttpServletRequest request = createAuthorizationRequest(registeredClient); + request.addParameter("foo", "value1", "value2"); + MockHttpServletResponse response = new MockHttpServletResponse(); FilterChain filterChain = mock(FilterChain.class); @@ -570,6 +572,12 @@ public class OAuth2AuthorizationEndpointFilterTests { .asInstanceOf(type(WebAuthenticationDetails.class)) .extracting(WebAuthenticationDetails::getRemoteAddress) .isEqualTo(REMOTE_ADDRESS); + + // Assert that multi-valued request parameters are preserved + assertThat(authorizationCodeRequestAuthenticationCaptor.getValue().getAdditionalParameters()) + .extracting(ap -> ap.get("foo")) + .asInstanceOf(type(String[].class)) + .isEqualTo(new String[] { "value1", "value2" }); assertThat(response.getStatus()).isEqualTo(HttpStatus.FOUND.value()); assertThat(response.getRedirectedUrl()).isEqualTo( "https://example.com?param=encoded%20parameter%20value&code=code&state=client%20state"); diff --git a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2TokenEndpointFilterTests.java b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2TokenEndpointFilterTests.java index ea7ae6fc..d2ed3fa0 100644 --- a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2TokenEndpointFilterTests.java +++ b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2TokenEndpointFilterTests.java @@ -273,7 +273,8 @@ public class OAuth2TokenEndpointFilterTests { assertThat(authorizationCodeAuthentication.getRedirectUri()).isEqualTo( request.getParameter(OAuth2ParameterNames.REDIRECT_URI)); assertThat(authorizationCodeAuthentication.getAdditionalParameters()) - .containsExactly(entry("custom-param-1", "custom-value-1")); + .containsExactly(entry("custom-param-1", "custom-value-1"), + entry("custom-param-2", new String[]{ "custom-value-2a", "custom-value-2b" })); assertThat(authorizationCodeAuthentication.getDetails()) .asInstanceOf(type(WebAuthenticationDetails.class)) .extracting(WebAuthenticationDetails::getRemoteAddress) @@ -340,7 +341,8 @@ public class OAuth2TokenEndpointFilterTests { assertThat(clientCredentialsAuthentication.getPrincipal()).isEqualTo(clientPrincipal); assertThat(clientCredentialsAuthentication.getScopes()).isEqualTo(registeredClient.getScopes()); assertThat(clientCredentialsAuthentication.getAdditionalParameters()) - .containsExactly(entry("custom-param-1", "custom-value-1")); + .containsExactly(entry("custom-param-1", "custom-value-1"), + entry("custom-param-2", new String[]{ "custom-value-2a", "custom-value-2b" })); assertThat(clientCredentialsAuthentication.getDetails()) .asInstanceOf(type(WebAuthenticationDetails.class)) .extracting(WebAuthenticationDetails::getRemoteAddress) @@ -430,7 +432,8 @@ public class OAuth2TokenEndpointFilterTests { assertThat(refreshTokenAuthenticationToken.getPrincipal()).isEqualTo(clientPrincipal); assertThat(refreshTokenAuthenticationToken.getScopes()).isEqualTo(registeredClient.getScopes()); assertThat(refreshTokenAuthenticationToken.getAdditionalParameters()) - .containsExactly(entry("custom-param-1", "custom-value-1")); + .containsExactly(entry("custom-param-1", "custom-value-1"), + entry("custom-param-2", new String[]{ "custom-value-2a", "custom-value-2b" })); assertThat(refreshTokenAuthenticationToken.getDetails()) .asInstanceOf(type(WebAuthenticationDetails.class)) .extracting(WebAuthenticationDetails::getRemoteAddress) @@ -613,6 +616,7 @@ public class OAuth2TokenEndpointFilterTests { // The client does not need to send the client ID param, but we are resilient in case they do request.addParameter(OAuth2ParameterNames.CLIENT_ID, registeredClient.getClientId()); request.addParameter("custom-param-1", "custom-value-1"); + request.addParameter("custom-param-2", "custom-value-2a", "custom-value-2b"); return request; } @@ -627,6 +631,7 @@ public class OAuth2TokenEndpointFilterTests { request.addParameter(OAuth2ParameterNames.SCOPE, StringUtils.collectionToDelimitedString(registeredClient.getScopes(), " ")); request.addParameter("custom-param-1", "custom-value-1"); + request.addParameter("custom-param-2", "custom-value-2a", "custom-value-2b"); return request; } @@ -642,6 +647,7 @@ public class OAuth2TokenEndpointFilterTests { request.addParameter(OAuth2ParameterNames.SCOPE, StringUtils.collectionToDelimitedString(registeredClient.getScopes(), " ")); request.addParameter("custom-param-1", "custom-value-1"); + request.addParameter("custom-param-2", "custom-value-2a", "custom-value-2b"); return request; } diff --git a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2TokenIntrospectionEndpointFilterTests.java b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2TokenIntrospectionEndpointFilterTests.java index a10ad717..2f0657e5 100644 --- a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2TokenIntrospectionEndpointFilterTests.java +++ b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2TokenIntrospectionEndpointFilterTests.java @@ -219,7 +219,7 @@ public class OAuth2TokenIntrospectionEndpointFilterTests { MockHttpServletRequest request = createTokenIntrospectionRequest( accessToken.getTokenValue(), OAuth2TokenType.ACCESS_TOKEN.getValue()); request.addParameter("custom-param-1", "custom-value-1"); - request.addParameter("custom-param-2", "custom-value-2"); + request.addParameter("custom-param-2", "custom-value-2a", "custom-value-2b"); MockHttpServletResponse response = new MockHttpServletResponse(); FilterChain filterChain = mock(FilterChain.class); @@ -236,7 +236,7 @@ public class OAuth2TokenIntrospectionEndpointFilterTests { assertThat(tokenIntrospectionAuthentication.getValue().getAdditionalParameters()) .contains( entry("custom-param-1", "custom-value-1"), - entry("custom-param-2", "custom-value-2")); + entry("custom-param-2", new String[]{"custom-value-2a", "custom-value-2b"})); OAuth2TokenIntrospection tokenIntrospectionResponse = readTokenIntrospectionResponse(response); assertThat(tokenIntrospectionResponse.isActive()).isEqualTo(tokenClaims.isActive()); diff --git a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/authentication/ClientSecretBasicAuthenticationConverterTests.java b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/authentication/ClientSecretBasicAuthenticationConverterTests.java index 17a52f61..ccb3898c 100644 --- a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/authentication/ClientSecretBasicAuthenticationConverterTests.java +++ b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/authentication/ClientSecretBasicAuthenticationConverterTests.java @@ -106,6 +106,7 @@ public class ClientSecretBasicAuthenticationConverterTests { @Test public void convertWhenConfidentialClientWithPkceParametersThenAdditionalParametersIncluded() throws Exception { MockHttpServletRequest request = createPkceTokenRequest(); + request.addParameter("custom-param-1", "custom-value-1a", "custom-value-1b"); request.addHeader(HttpHeaders.AUTHORIZATION, "Basic " + encodeBasicAuth("clientId", "secret")); OAuth2ClientAuthenticationToken authentication = (OAuth2ClientAuthenticationToken) this.converter.convert(request); assertThat(authentication.getPrincipal()).isEqualTo("clientId"); @@ -115,7 +116,8 @@ public class ClientSecretBasicAuthenticationConverterTests { .containsOnly( entry(OAuth2ParameterNames.GRANT_TYPE, AuthorizationGrantType.AUTHORIZATION_CODE.getValue()), entry(OAuth2ParameterNames.CODE, "code"), - entry(PkceParameterNames.CODE_VERIFIER, "code-verifier-1")); + entry(PkceParameterNames.CODE_VERIFIER, "code-verifier-1"), + entry("custom-param-1", new String[] { "custom-value-1a", "custom-value-1b" })); } private static String encodeBasicAuth(String clientId, String secret) throws Exception { diff --git a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/authentication/ClientSecretPostAuthenticationConverterTests.java b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/authentication/ClientSecretPostAuthenticationConverterTests.java index 5f0a96d9..07b6b6c5 100644 --- a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/authentication/ClientSecretPostAuthenticationConverterTests.java +++ b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/authentication/ClientSecretPostAuthenticationConverterTests.java @@ -95,6 +95,7 @@ public class ClientSecretPostAuthenticationConverterTests { MockHttpServletRequest request = createPkceTokenRequest(); request.addParameter(OAuth2ParameterNames.CLIENT_ID, "client-1"); request.addParameter(OAuth2ParameterNames.CLIENT_SECRET, "client-secret"); + request.addParameter("custom-param-1", "custom-value-1a", "custom-value-1b"); OAuth2ClientAuthenticationToken authentication = (OAuth2ClientAuthenticationToken) this.converter.convert(request); assertThat(authentication.getPrincipal()).isEqualTo("client-1"); assertThat(authentication.getCredentials()).isEqualTo("client-secret"); @@ -103,7 +104,8 @@ public class ClientSecretPostAuthenticationConverterTests { .containsOnly( entry(OAuth2ParameterNames.GRANT_TYPE, AuthorizationGrantType.AUTHORIZATION_CODE.getValue()), entry(OAuth2ParameterNames.CODE, "code"), - entry(PkceParameterNames.CODE_VERIFIER, "code-verifier-1")); + entry(PkceParameterNames.CODE_VERIFIER, "code-verifier-1"), + entry("custom-param-1", new String[] { "custom-value-1a", "custom-value-1b" })); } private static MockHttpServletRequest createPkceTokenRequest() { diff --git a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/authentication/JwtClientAssertionAuthenticationConverterTests.java b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/authentication/JwtClientAssertionAuthenticationConverterTests.java index 38cec863..470a7f80 100644 --- a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/authentication/JwtClientAssertionAuthenticationConverterTests.java +++ b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/authentication/JwtClientAssertionAuthenticationConverterTests.java @@ -107,6 +107,8 @@ public class JwtClientAssertionAuthenticationConverterTests { request.addParameter(OAuth2ParameterNames.CLIENT_ID, "client-1"); request.addParameter(OAuth2ParameterNames.GRANT_TYPE, AuthorizationGrantType.AUTHORIZATION_CODE.getValue()); request.addParameter(OAuth2ParameterNames.CODE, "code"); + request.addParameter("custom-param-1", "custom-value-1"); + request.addParameter("custom-param-2", "custom-value-2a", "custom-value-2b"); OAuth2ClientAuthenticationToken authentication = (OAuth2ClientAuthenticationToken) this.converter.convert(request); assertThat(authentication.getPrincipal()).isEqualTo("client-1"); assertThat(authentication.getCredentials()).isEqualTo("jwt-assertion"); @@ -114,7 +116,9 @@ public class JwtClientAssertionAuthenticationConverterTests { assertThat(authentication.getAdditionalParameters()) .containsOnly( entry(OAuth2ParameterNames.GRANT_TYPE, AuthorizationGrantType.AUTHORIZATION_CODE.getValue()), - entry(OAuth2ParameterNames.CODE, "code")); + entry(OAuth2ParameterNames.CODE, "code"), + entry("custom-param-1", "custom-value-1"), + entry("custom-param-2", new String[] {"custom-value-2a", "custom-value-2b"})); } private void assertThrown(MockHttpServletRequest request, String errorCode) { diff --git a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/authentication/PublicClientAuthenticationConverterTests.java b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/authentication/PublicClientAuthenticationConverterTests.java index 5518b575..557ec1ff 100644 --- a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/authentication/PublicClientAuthenticationConverterTests.java +++ b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/authentication/PublicClientAuthenticationConverterTests.java @@ -82,6 +82,8 @@ public class PublicClientAuthenticationConverterTests { @Test public void convertWhenPublicClientThenReturnClientAuthenticationToken() { MockHttpServletRequest request = createPkceTokenRequest(); + request.addParameter("param-1", "value-1"); + request.addParameter("param-2", "value-2", "value-2b"); OAuth2ClientAuthenticationToken authentication = (OAuth2ClientAuthenticationToken) this.converter.convert(request); assertThat(authentication.getPrincipal()).isEqualTo("client-1"); assertThat(authentication.getClientAuthenticationMethod()).isEqualTo(ClientAuthenticationMethod.NONE); @@ -89,7 +91,9 @@ public class PublicClientAuthenticationConverterTests { .containsOnly( entry(OAuth2ParameterNames.GRANT_TYPE, AuthorizationGrantType.AUTHORIZATION_CODE.getValue()), entry(OAuth2ParameterNames.CODE, "code"), - entry(PkceParameterNames.CODE_VERIFIER, "code-verifier-1")); + entry(PkceParameterNames.CODE_VERIFIER, "code-verifier-1"), + entry("param-1", "value-1"), + entry("param-2", new String[] {"value-2", "value-2b"})); } private static MockHttpServletRequest createPkceTokenRequest() { From 2b3b5d2531108f2fda7fb2ac07bcd9a742186c6c Mon Sep 17 00:00:00 2001 From: Joe Grandja Date: Fri, 16 Jun 2023 07:05:26 -0400 Subject: [PATCH 2/2] Polish gh-1252 --- ...horizationCodeAuthenticationConverter.java | 4 ++-- ...ionCodeRequestAuthenticationConverter.java | 4 ++-- ...izationConsentAuthenticationConverter.java | 4 ++-- ...entCredentialsAuthenticationConverter.java | 4 ++-- .../authentication/OAuth2EndpointUtils.java | 17 ++++++++++------- ...h2RefreshTokenAuthenticationConverter.java | 4 ++-- ...nIntrospectionAuthenticationConverter.java | 4 ++-- .../PublicClientAuthenticationConverter.java | 7 +++---- ...Auth2AuthorizationEndpointFilterTests.java | 6 +++--- .../web/OAuth2TokenEndpointFilterTests.java | 19 ++++++++----------- ...TokenIntrospectionEndpointFilterTests.java | 6 +++--- ...cretBasicAuthenticationConverterTests.java | 6 +++--- ...ecretPostAuthenticationConverterTests.java | 6 +++--- ...AssertionAuthenticationConverterTests.java | 6 +++--- ...licClientAuthenticationConverterTests.java | 10 +++++----- 15 files changed, 53 insertions(+), 54 deletions(-) diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2AuthorizationCodeAuthenticationConverter.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2AuthorizationCodeAuthenticationConverter.java index 94f520c3..76c99baf 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2AuthorizationCodeAuthenticationConverter.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2AuthorizationCodeAuthenticationConverter.java @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 the original author or authors. + * Copyright 2020-2023 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -84,7 +84,7 @@ public final class OAuth2AuthorizationCodeAuthenticationConverter implements Aut !key.equals(OAuth2ParameterNames.CLIENT_ID) && !key.equals(OAuth2ParameterNames.CODE) && !key.equals(OAuth2ParameterNames.REDIRECT_URI)) { - additionalParameters.put(key, value.size() == 1 ? value.get(0) : value.toArray(new String[0])); + additionalParameters.put(key, (value.size() == 1) ? value.get(0) : value.toArray(new String[0])); } }); diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2AuthorizationCodeRequestAuthenticationConverter.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2AuthorizationCodeRequestAuthenticationConverter.java index 250c80a4..cd38789a 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2AuthorizationCodeRequestAuthenticationConverter.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2AuthorizationCodeRequestAuthenticationConverter.java @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 the original author or authors. + * Copyright 2020-2023 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -138,7 +138,7 @@ public final class OAuth2AuthorizationCodeRequestAuthenticationConverter impleme !key.equals(OAuth2ParameterNames.REDIRECT_URI) && !key.equals(OAuth2ParameterNames.SCOPE) && !key.equals(OAuth2ParameterNames.STATE)) { - additionalParameters.put(key, value.size() == 1 ? value.get(0) : value.toArray(new String[0])); + additionalParameters.put(key, (value.size() == 1) ? value.get(0) : value.toArray(new String[0])); } }); diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2AuthorizationConsentAuthenticationConverter.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2AuthorizationConsentAuthenticationConverter.java index 574cf5b7..d6b0f477 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2AuthorizationConsentAuthenticationConverter.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2AuthorizationConsentAuthenticationConverter.java @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 the original author or authors. + * Copyright 2020-2023 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -93,7 +93,7 @@ public final class OAuth2AuthorizationConsentAuthenticationConverter implements if (!key.equals(OAuth2ParameterNames.CLIENT_ID) && !key.equals(OAuth2ParameterNames.STATE) && !key.equals(OAuth2ParameterNames.SCOPE)) { - additionalParameters.put(key, value.size() == 1 ? value.get(0) : value.toArray(new String[0])); + additionalParameters.put(key, (value.size() == 1) ? value.get(0) : value.toArray(new String[0])); } }); diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2ClientCredentialsAuthenticationConverter.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2ClientCredentialsAuthenticationConverter.java index a0ec4179..a9578125 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2ClientCredentialsAuthenticationConverter.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2ClientCredentialsAuthenticationConverter.java @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 the original author or authors. + * Copyright 2020-2023 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -79,7 +79,7 @@ public final class OAuth2ClientCredentialsAuthenticationConverter implements Aut parameters.forEach((key, value) -> { if (!key.equals(OAuth2ParameterNames.GRANT_TYPE) && !key.equals(OAuth2ParameterNames.SCOPE)) { - additionalParameters.put(key, value.size() == 1 ? value.get(0) : value.toArray(new String[0])); + additionalParameters.put(key, (value.size() == 1) ? value.get(0) : value.toArray(new String[0])); } }); diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2EndpointUtils.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2EndpointUtils.java index b6d94e36..ef08954a 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2EndpointUtils.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2EndpointUtils.java @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 the original author or authors. + * Copyright 2020-2023 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -16,8 +16,8 @@ package org.springframework.security.oauth2.server.authorization.web.authentication; import java.util.Collections; +import java.util.HashMap; import java.util.Map; -import java.util.stream.Collectors; import javax.servlet.http.HttpServletRequest; @@ -58,13 +58,16 @@ final class OAuth2EndpointUtils { if (!matchesAuthorizationCodeGrantRequest(request)) { return Collections.emptyMap(); } - MultiValueMap parameters = getParameters(request); + MultiValueMap multiValueParameters = getParameters(request); for (String exclusion : exclusions) { - parameters.remove(exclusion); + multiValueParameters.remove(exclusion); } - return parameters.entrySet().stream() - .collect(Collectors.toMap(Map.Entry::getKey, - e -> e.getValue().size() == 1 ? e.getValue().get(0) : e.getValue().toArray(new String[0]))); + + Map parameters = new HashMap<>(); + multiValueParameters.forEach((key, value) -> + parameters.put(key, (value.size() == 1) ? value.get(0) : value.toArray(new String[0]))); + + return parameters; } static boolean matchesAuthorizationCodeGrantRequest(HttpServletRequest request) { diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2RefreshTokenAuthenticationConverter.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2RefreshTokenAuthenticationConverter.java index e4d8a69b..49ef5ade 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2RefreshTokenAuthenticationConverter.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2RefreshTokenAuthenticationConverter.java @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 the original author or authors. + * Copyright 2020-2023 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -90,7 +90,7 @@ public final class OAuth2RefreshTokenAuthenticationConverter implements Authenti if (!key.equals(OAuth2ParameterNames.GRANT_TYPE) && !key.equals(OAuth2ParameterNames.REFRESH_TOKEN) && !key.equals(OAuth2ParameterNames.SCOPE)) { - additionalParameters.put(key, value.size() == 1 ? value.get(0) : value.toArray(new String[0])); + additionalParameters.put(key, (value.size() == 1) ? value.get(0) : value.toArray(new String[0])); } }); diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2TokenIntrospectionAuthenticationConverter.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2TokenIntrospectionAuthenticationConverter.java index 202c11ec..3829ee42 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2TokenIntrospectionAuthenticationConverter.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2TokenIntrospectionAuthenticationConverter.java @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 the original author or authors. + * Copyright 2020-2023 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -69,7 +69,7 @@ public final class OAuth2TokenIntrospectionAuthenticationConverter implements Au parameters.forEach((key, value) -> { if (!key.equals(OAuth2ParameterNames.TOKEN) && !key.equals(OAuth2ParameterNames.TOKEN_TYPE_HINT)) { - additionalParameters.put(key, value.size() == 1 ? value.get(0) : value.toArray(new String[0])); + additionalParameters.put(key, (value.size() == 1) ? value.get(0) : value.toArray(new String[0])); } }); diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/PublicClientAuthenticationConverter.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/PublicClientAuthenticationConverter.java index d48e0d82..157bdb09 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/PublicClientAuthenticationConverter.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/PublicClientAuthenticationConverter.java @@ -1,5 +1,5 @@ /* - * Copyright 2020-2021 the original author or authors. + * Copyright 2020-2023 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -70,9 +70,8 @@ public final class PublicClientAuthenticationConverter implements Authentication parameters.remove(OAuth2ParameterNames.CLIENT_ID); Map additionalParameters = new HashMap<>(); - parameters.forEach((key, value) -> { - additionalParameters.put(key, value.size() == 1 ? value.get(0) : value.toArray(new String[0])); - }); + parameters.forEach((key, value) -> + additionalParameters.put(key, (value.size() == 1) ? value.get(0) : value.toArray(new String[0]))); return new OAuth2ClientAuthenticationToken(clientId, ClientAuthenticationMethod.NONE, null, additionalParameters); diff --git a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilterTests.java b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilterTests.java index 2b27f839..163c130f 100644 --- a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilterTests.java +++ b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilterTests.java @@ -556,7 +556,7 @@ public class OAuth2AuthorizationEndpointFilterTests { .thenReturn(authorizationCodeRequestAuthenticationResult); MockHttpServletRequest request = createAuthorizationRequest(registeredClient); - request.addParameter("foo", "value1", "value2"); + request.addParameter("custom-param", "custom-value-1", "custom-value-2"); MockHttpServletResponse response = new MockHttpServletResponse(); FilterChain filterChain = mock(FilterChain.class); @@ -575,9 +575,9 @@ public class OAuth2AuthorizationEndpointFilterTests { // Assert that multi-valued request parameters are preserved assertThat(authorizationCodeRequestAuthenticationCaptor.getValue().getAdditionalParameters()) - .extracting(ap -> ap.get("foo")) + .extracting(params -> params.get("custom-param")) .asInstanceOf(type(String[].class)) - .isEqualTo(new String[] { "value1", "value2" }); + .isEqualTo(new String[] { "custom-value-1", "custom-value-2" }); assertThat(response.getStatus()).isEqualTo(HttpStatus.FOUND.value()); assertThat(response.getRedirectedUrl()).isEqualTo( "https://example.com?param=encoded%20parameter%20value&code=code&state=client%20state"); diff --git a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2TokenEndpointFilterTests.java b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2TokenEndpointFilterTests.java index d2ed3fa0..89535b94 100644 --- a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2TokenEndpointFilterTests.java +++ b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2TokenEndpointFilterTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 the original author or authors. + * Copyright 2020-2023 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -18,7 +18,6 @@ package org.springframework.security.oauth2.server.authorization.web; import java.time.Duration; import java.time.Instant; import java.util.Arrays; -import java.util.Collections; import java.util.HashSet; import java.util.Map; @@ -242,10 +241,9 @@ public class OAuth2TokenEndpointFilterTests { new HashSet<>(Arrays.asList("scope1", "scope2"))); OAuth2RefreshToken refreshToken = new OAuth2RefreshToken( "refresh-token", Instant.now(), Instant.now().plus(Duration.ofDays(1))); - Map additionalParameters = Collections.singletonMap("custom-param", "custom-value"); OAuth2AccessTokenAuthenticationToken accessTokenAuthentication = new OAuth2AccessTokenAuthenticationToken( - registeredClient, clientPrincipal, accessToken, refreshToken, additionalParameters); + registeredClient, clientPrincipal, accessToken, refreshToken); when(this.authenticationManager.authenticate(any())).thenReturn(accessTokenAuthentication); @@ -274,7 +272,7 @@ public class OAuth2TokenEndpointFilterTests { request.getParameter(OAuth2ParameterNames.REDIRECT_URI)); assertThat(authorizationCodeAuthentication.getAdditionalParameters()) .containsExactly(entry("custom-param-1", "custom-value-1"), - entry("custom-param-2", new String[]{ "custom-value-2a", "custom-value-2b" })); + entry("custom-param-2", new String[] { "custom-value-1", "custom-value-2" })); assertThat(authorizationCodeAuthentication.getDetails()) .asInstanceOf(type(WebAuthenticationDetails.class)) .extracting(WebAuthenticationDetails::getRemoteAddress) @@ -292,7 +290,6 @@ public class OAuth2TokenEndpointFilterTests { accessToken.getExpiresAt().minusSeconds(1), accessToken.getExpiresAt().plusSeconds(1)); assertThat(accessTokenResult.getScopes()).isEqualTo(accessToken.getScopes()); assertThat(accessTokenResponse.getRefreshToken().getTokenValue()).isEqualTo(refreshToken.getTokenValue()); - assertThat(accessTokenResponse.getAdditionalParameters()).containsExactly(entry("custom-param", "custom-value")); } @Test @@ -342,7 +339,7 @@ public class OAuth2TokenEndpointFilterTests { assertThat(clientCredentialsAuthentication.getScopes()).isEqualTo(registeredClient.getScopes()); assertThat(clientCredentialsAuthentication.getAdditionalParameters()) .containsExactly(entry("custom-param-1", "custom-value-1"), - entry("custom-param-2", new String[]{ "custom-value-2a", "custom-value-2b" })); + entry("custom-param-2", new String[] { "custom-value-1", "custom-value-2" })); assertThat(clientCredentialsAuthentication.getDetails()) .asInstanceOf(type(WebAuthenticationDetails.class)) .extracting(WebAuthenticationDetails::getRemoteAddress) @@ -433,7 +430,7 @@ public class OAuth2TokenEndpointFilterTests { assertThat(refreshTokenAuthenticationToken.getScopes()).isEqualTo(registeredClient.getScopes()); assertThat(refreshTokenAuthenticationToken.getAdditionalParameters()) .containsExactly(entry("custom-param-1", "custom-value-1"), - entry("custom-param-2", new String[]{ "custom-value-2a", "custom-value-2b" })); + entry("custom-param-2", new String[] { "custom-value-1", "custom-value-2" })); assertThat(refreshTokenAuthenticationToken.getDetails()) .asInstanceOf(type(WebAuthenticationDetails.class)) .extracting(WebAuthenticationDetails::getRemoteAddress) @@ -616,7 +613,7 @@ public class OAuth2TokenEndpointFilterTests { // The client does not need to send the client ID param, but we are resilient in case they do request.addParameter(OAuth2ParameterNames.CLIENT_ID, registeredClient.getClientId()); request.addParameter("custom-param-1", "custom-value-1"); - request.addParameter("custom-param-2", "custom-value-2a", "custom-value-2b"); + request.addParameter("custom-param-2", "custom-value-1", "custom-value-2"); return request; } @@ -631,7 +628,7 @@ public class OAuth2TokenEndpointFilterTests { request.addParameter(OAuth2ParameterNames.SCOPE, StringUtils.collectionToDelimitedString(registeredClient.getScopes(), " ")); request.addParameter("custom-param-1", "custom-value-1"); - request.addParameter("custom-param-2", "custom-value-2a", "custom-value-2b"); + request.addParameter("custom-param-2", "custom-value-1", "custom-value-2"); return request; } @@ -647,7 +644,7 @@ public class OAuth2TokenEndpointFilterTests { request.addParameter(OAuth2ParameterNames.SCOPE, StringUtils.collectionToDelimitedString(registeredClient.getScopes(), " ")); request.addParameter("custom-param-1", "custom-value-1"); - request.addParameter("custom-param-2", "custom-value-2a", "custom-value-2b"); + request.addParameter("custom-param-2", "custom-value-1", "custom-value-2"); return request; } diff --git a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2TokenIntrospectionEndpointFilterTests.java b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2TokenIntrospectionEndpointFilterTests.java index 2f0657e5..c621a257 100644 --- a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2TokenIntrospectionEndpointFilterTests.java +++ b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2TokenIntrospectionEndpointFilterTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 the original author or authors. + * Copyright 2020-2023 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -219,7 +219,7 @@ public class OAuth2TokenIntrospectionEndpointFilterTests { MockHttpServletRequest request = createTokenIntrospectionRequest( accessToken.getTokenValue(), OAuth2TokenType.ACCESS_TOKEN.getValue()); request.addParameter("custom-param-1", "custom-value-1"); - request.addParameter("custom-param-2", "custom-value-2a", "custom-value-2b"); + request.addParameter("custom-param-2", "custom-value-1", "custom-value-2"); MockHttpServletResponse response = new MockHttpServletResponse(); FilterChain filterChain = mock(FilterChain.class); @@ -236,7 +236,7 @@ public class OAuth2TokenIntrospectionEndpointFilterTests { assertThat(tokenIntrospectionAuthentication.getValue().getAdditionalParameters()) .contains( entry("custom-param-1", "custom-value-1"), - entry("custom-param-2", new String[]{"custom-value-2a", "custom-value-2b"})); + entry("custom-param-2", new String[] {"custom-value-1", "custom-value-2"})); OAuth2TokenIntrospection tokenIntrospectionResponse = readTokenIntrospectionResponse(response); assertThat(tokenIntrospectionResponse.isActive()).isEqualTo(tokenClaims.isActive()); diff --git a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/authentication/ClientSecretBasicAuthenticationConverterTests.java b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/authentication/ClientSecretBasicAuthenticationConverterTests.java index ccb3898c..7b5a222c 100644 --- a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/authentication/ClientSecretBasicAuthenticationConverterTests.java +++ b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/authentication/ClientSecretBasicAuthenticationConverterTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 the original author or authors. + * Copyright 2020-2023 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -106,7 +106,7 @@ public class ClientSecretBasicAuthenticationConverterTests { @Test public void convertWhenConfidentialClientWithPkceParametersThenAdditionalParametersIncluded() throws Exception { MockHttpServletRequest request = createPkceTokenRequest(); - request.addParameter("custom-param-1", "custom-value-1a", "custom-value-1b"); + request.addParameter("custom-param", "custom-value-1", "custom-value-2"); request.addHeader(HttpHeaders.AUTHORIZATION, "Basic " + encodeBasicAuth("clientId", "secret")); OAuth2ClientAuthenticationToken authentication = (OAuth2ClientAuthenticationToken) this.converter.convert(request); assertThat(authentication.getPrincipal()).isEqualTo("clientId"); @@ -117,7 +117,7 @@ public class ClientSecretBasicAuthenticationConverterTests { entry(OAuth2ParameterNames.GRANT_TYPE, AuthorizationGrantType.AUTHORIZATION_CODE.getValue()), entry(OAuth2ParameterNames.CODE, "code"), entry(PkceParameterNames.CODE_VERIFIER, "code-verifier-1"), - entry("custom-param-1", new String[] { "custom-value-1a", "custom-value-1b" })); + entry("custom-param", new String[] { "custom-value-1", "custom-value-2" })); } private static String encodeBasicAuth(String clientId, String secret) throws Exception { diff --git a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/authentication/ClientSecretPostAuthenticationConverterTests.java b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/authentication/ClientSecretPostAuthenticationConverterTests.java index 07b6b6c5..894fb409 100644 --- a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/authentication/ClientSecretPostAuthenticationConverterTests.java +++ b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/authentication/ClientSecretPostAuthenticationConverterTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 the original author or authors. + * Copyright 2020-2023 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -95,7 +95,7 @@ public class ClientSecretPostAuthenticationConverterTests { MockHttpServletRequest request = createPkceTokenRequest(); request.addParameter(OAuth2ParameterNames.CLIENT_ID, "client-1"); request.addParameter(OAuth2ParameterNames.CLIENT_SECRET, "client-secret"); - request.addParameter("custom-param-1", "custom-value-1a", "custom-value-1b"); + request.addParameter("custom-param", "custom-value-1", "custom-value-2"); OAuth2ClientAuthenticationToken authentication = (OAuth2ClientAuthenticationToken) this.converter.convert(request); assertThat(authentication.getPrincipal()).isEqualTo("client-1"); assertThat(authentication.getCredentials()).isEqualTo("client-secret"); @@ -105,7 +105,7 @@ public class ClientSecretPostAuthenticationConverterTests { entry(OAuth2ParameterNames.GRANT_TYPE, AuthorizationGrantType.AUTHORIZATION_CODE.getValue()), entry(OAuth2ParameterNames.CODE, "code"), entry(PkceParameterNames.CODE_VERIFIER, "code-verifier-1"), - entry("custom-param-1", new String[] { "custom-value-1a", "custom-value-1b" })); + entry("custom-param", new String[] { "custom-value-1", "custom-value-2" })); } private static MockHttpServletRequest createPkceTokenRequest() { diff --git a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/authentication/JwtClientAssertionAuthenticationConverterTests.java b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/authentication/JwtClientAssertionAuthenticationConverterTests.java index 470a7f80..13fb6488 100644 --- a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/authentication/JwtClientAssertionAuthenticationConverterTests.java +++ b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/authentication/JwtClientAssertionAuthenticationConverterTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 the original author or authors. + * Copyright 2020-2023 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -108,7 +108,7 @@ public class JwtClientAssertionAuthenticationConverterTests { request.addParameter(OAuth2ParameterNames.GRANT_TYPE, AuthorizationGrantType.AUTHORIZATION_CODE.getValue()); request.addParameter(OAuth2ParameterNames.CODE, "code"); request.addParameter("custom-param-1", "custom-value-1"); - request.addParameter("custom-param-2", "custom-value-2a", "custom-value-2b"); + request.addParameter("custom-param-2", "custom-value-1", "custom-value-2"); OAuth2ClientAuthenticationToken authentication = (OAuth2ClientAuthenticationToken) this.converter.convert(request); assertThat(authentication.getPrincipal()).isEqualTo("client-1"); assertThat(authentication.getCredentials()).isEqualTo("jwt-assertion"); @@ -118,7 +118,7 @@ public class JwtClientAssertionAuthenticationConverterTests { entry(OAuth2ParameterNames.GRANT_TYPE, AuthorizationGrantType.AUTHORIZATION_CODE.getValue()), entry(OAuth2ParameterNames.CODE, "code"), entry("custom-param-1", "custom-value-1"), - entry("custom-param-2", new String[] {"custom-value-2a", "custom-value-2b"})); + entry("custom-param-2", new String[] {"custom-value-1", "custom-value-2"})); } private void assertThrown(MockHttpServletRequest request, String errorCode) { diff --git a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/authentication/PublicClientAuthenticationConverterTests.java b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/authentication/PublicClientAuthenticationConverterTests.java index 557ec1ff..0278e597 100644 --- a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/authentication/PublicClientAuthenticationConverterTests.java +++ b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/authentication/PublicClientAuthenticationConverterTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 the original author or authors. + * Copyright 2020-2023 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -82,8 +82,8 @@ public class PublicClientAuthenticationConverterTests { @Test public void convertWhenPublicClientThenReturnClientAuthenticationToken() { MockHttpServletRequest request = createPkceTokenRequest(); - request.addParameter("param-1", "value-1"); - request.addParameter("param-2", "value-2", "value-2b"); + request.addParameter("custom-param-1", "custom-value-1"); + request.addParameter("custom-param-2", "custom-value-1", "custom-value-2"); OAuth2ClientAuthenticationToken authentication = (OAuth2ClientAuthenticationToken) this.converter.convert(request); assertThat(authentication.getPrincipal()).isEqualTo("client-1"); assertThat(authentication.getClientAuthenticationMethod()).isEqualTo(ClientAuthenticationMethod.NONE); @@ -92,8 +92,8 @@ public class PublicClientAuthenticationConverterTests { entry(OAuth2ParameterNames.GRANT_TYPE, AuthorizationGrantType.AUTHORIZATION_CODE.getValue()), entry(OAuth2ParameterNames.CODE, "code"), entry(PkceParameterNames.CODE_VERIFIER, "code-verifier-1"), - entry("param-1", "value-1"), - entry("param-2", new String[] {"value-2", "value-2b"})); + entry("custom-param-1", "custom-value-1"), + entry("custom-param-2", new String[] {"custom-value-1", "custom-value-2"})); } private static MockHttpServletRequest createPkceTokenRequest() {