From cc6b3dc7915f384d824844ded374ca2c3f8c67fe Mon Sep 17 00:00:00 2001 From: Steve Riesenberg Date: Wed, 15 Mar 2023 14:07:33 -0500 Subject: [PATCH] Polish gh-1106 --- ...rizationConsentAuthenticationProvider.java | 5 ++--- ...rizationRequestAuthenticationProvider.java | 4 ++-- ...Auth2DeviceCodeAuthenticationProvider.java | 10 ++++++---- ...iceVerificationAuthenticationProvider.java | 4 ++-- ...uth2DeviceAuthorizationEndpointFilter.java | 10 +++++----- ...Auth2DeviceVerificationEndpointFilter.java | 19 +++++++++++++++++++ ...izationConsentAuthenticationConverter.java | 5 ++++- ...izationRequestAuthenticationConverter.java | 4 ++++ ...uth2DeviceCodeAuthenticationConverter.java | 4 ++-- 9 files changed, 46 insertions(+), 19 deletions(-) diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2DeviceAuthorizationConsentAuthenticationProvider.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2DeviceAuthorizationConsentAuthenticationProvider.java index e0b0a006..07e8f584 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2DeviceAuthorizationConsentAuthenticationProvider.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2DeviceAuthorizationConsentAuthenticationProvider.java @@ -29,7 +29,6 @@ import org.springframework.security.core.Authentication; import org.springframework.security.core.AuthenticationException; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.oauth2.core.OAuth2AuthenticationException; -import org.springframework.security.oauth2.core.OAuth2AuthorizationException; import org.springframework.security.oauth2.core.OAuth2DeviceCode; import org.springframework.security.oauth2.core.OAuth2Error; import org.springframework.security.oauth2.core.OAuth2ErrorCodes; @@ -63,7 +62,7 @@ import org.springframework.util.Assert; public final class OAuth2DeviceAuthorizationConsentAuthenticationProvider implements AuthenticationProvider { private static final String DEFAULT_ERROR_URI = "https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1"; - private static final OAuth2TokenType STATE_TOKEN_TYPE = new OAuth2TokenType(OAuth2ParameterNames.STATE); + static final OAuth2TokenType STATE_TOKEN_TYPE = new OAuth2TokenType(OAuth2ParameterNames.STATE); private final Log logger = LogFactory.getLog(getClass()); private final RegisteredClientRepository registeredClientRepository; @@ -261,7 +260,7 @@ public final class OAuth2DeviceAuthorizationConsentAuthenticationProvider implem private static void throwError(String errorCode, String parameterName) { OAuth2Error error = new OAuth2Error(errorCode, "OAuth 2.0 Parameter: " + parameterName, DEFAULT_ERROR_URI); - throw new OAuth2AuthorizationException(error); + throw new OAuth2AuthenticationException(error); } } diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2DeviceAuthorizationRequestAuthenticationProvider.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2DeviceAuthorizationRequestAuthenticationProvider.java index 12706dff..70a4a220 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2DeviceAuthorizationRequestAuthenticationProvider.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2DeviceAuthorizationRequestAuthenticationProvider.java @@ -69,8 +69,8 @@ import static org.springframework.security.oauth2.server.authorization.authentic public final class OAuth2DeviceAuthorizationRequestAuthenticationProvider implements AuthenticationProvider { private static final String ERROR_URI = "https://datatracker.ietf.org/doc/html/rfc6749#section-5.2"; - private static final OAuth2TokenType DEVICE_CODE_TOKEN_TYPE = new OAuth2TokenType(OAuth2ParameterNames.DEVICE_CODE); - private static final OAuth2TokenType USER_CODE_TOKEN_TYPE = new OAuth2TokenType(OAuth2ParameterNames.USER_CODE); + static final OAuth2TokenType DEVICE_CODE_TOKEN_TYPE = new OAuth2TokenType(OAuth2ParameterNames.DEVICE_CODE); + static final OAuth2TokenType USER_CODE_TOKEN_TYPE = new OAuth2TokenType(OAuth2ParameterNames.USER_CODE); private final Log logger = LogFactory.getLog(getClass()); private final OAuth2AuthorizationService authorizationService; diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2DeviceCodeAuthenticationProvider.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2DeviceCodeAuthenticationProvider.java index cc3b296f..03653937 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2DeviceCodeAuthenticationProvider.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2DeviceCodeAuthenticationProvider.java @@ -66,7 +66,9 @@ public final class OAuth2DeviceCodeAuthenticationProvider implements Authenticat private static final String DEFAULT_ERROR_URI = "https://datatracker.ietf.org/doc/html/rfc6749#section-5.2"; private static final String DEVICE_ERROR_URI = "https://datatracker.ietf.org/doc/html/rfc8628#section-3.5"; - private static final OAuth2TokenType DEVICE_CODE_TOKEN_TYPE = new OAuth2TokenType(OAuth2ParameterNames.DEVICE_CODE); + static final OAuth2TokenType DEVICE_CODE_TOKEN_TYPE = new OAuth2TokenType(OAuth2ParameterNames.DEVICE_CODE); + static final String EXPIRED_TOKEN = "expired_token"; + static final String AUTHORIZATION_PENDING = "authorization_pending"; private final Log logger = LogFactory.getLog(getClass()); private final OAuth2AuthorizationService authorizationService; @@ -134,7 +136,7 @@ public final class OAuth2DeviceCodeAuthenticationProvider implements Authenticat // access_denied // The authorization request was denied. if (Boolean.TRUE.equals(deviceCode.getMetadata(OAuth2Authorization.Token.ACCESS_DENIED_METADATA_NAME))) { - OAuth2Error error = new OAuth2Error("access_denied", null, DEVICE_ERROR_URI); + OAuth2Error error = new OAuth2Error(OAuth2ErrorCodes.ACCESS_DENIED, null, DEVICE_ERROR_URI); throw new OAuth2AuthenticationException(error); } @@ -144,7 +146,7 @@ public final class OAuth2DeviceCodeAuthenticationProvider implements Authenticat // authorization request but SHOULD wait for user interaction before // restarting to avoid unnecessary polling. if (deviceCode.isExpired()) { - OAuth2Error error = new OAuth2Error("expired_token", null, DEVICE_ERROR_URI); + OAuth2Error error = new OAuth2Error(EXPIRED_TOKEN, null, DEVICE_ERROR_URI); throw new OAuth2AuthenticationException(error); } @@ -165,7 +167,7 @@ public final class OAuth2DeviceCodeAuthenticationProvider implements Authenticat // increase in the polling interval required by the "slow_down" // error. if (!Boolean.TRUE.equals(deviceCode.getMetadata(OAuth2Authorization.Token.ACCESS_GRANTED_METADATA_NAME))) { - OAuth2Error error = new OAuth2Error("authorization_pending", null, DEVICE_ERROR_URI); + OAuth2Error error = new OAuth2Error(AUTHORIZATION_PENDING, null, DEVICE_ERROR_URI); throw new OAuth2AuthenticationException(error); } diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2DeviceVerificationAuthenticationProvider.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2DeviceVerificationAuthenticationProvider.java index 92777c12..e4ca833d 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2DeviceVerificationAuthenticationProvider.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2DeviceVerificationAuthenticationProvider.java @@ -62,7 +62,7 @@ import org.springframework.util.Assert; */ public final class OAuth2DeviceVerificationAuthenticationProvider implements AuthenticationProvider { - private static final OAuth2TokenType USER_CODE_TOKEN_TYPE = new OAuth2TokenType(OAuth2ParameterNames.USER_CODE); + static final OAuth2TokenType USER_CODE_TOKEN_TYPE = new OAuth2TokenType(OAuth2ParameterNames.USER_CODE); private static final StringKeyGenerator DEFAULT_STATE_GENERATOR = new Base64StringKeyGenerator(Base64.getUrlEncoder()); @@ -154,7 +154,7 @@ public final class OAuth2DeviceVerificationAuthenticationProvider implements Aut OAuth2Authorization.Token userCode = authorization.getToken(OAuth2UserCode.class); OAuth2Authorization updatedAuthorization = OAuth2Authorization.from(authorization) .principalName(principal.getName()) - .authorizedScopes(currentAuthorizedScopes) + .authorizedScopes(authorizationRequest.getScopes()) .token(deviceCode.getToken(), metadata -> metadata .put(OAuth2Authorization.Token.ACCESS_GRANTED_METADATA_NAME, true)) .token(userCode.getToken(), metadata -> metadata diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2DeviceAuthorizationEndpointFilter.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2DeviceAuthorizationEndpointFilter.java index 13207d16..480c7d40 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2DeviceAuthorizationEndpointFilter.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2DeviceAuthorizationEndpointFilter.java @@ -70,7 +70,7 @@ import org.springframework.web.util.UriComponentsBuilder; */ public final class OAuth2DeviceAuthorizationEndpointFilter extends OncePerRequestFilter { - private static final String DEFAULT_DEVICE_AUTHORIZATION_ENDPOINT_URI = "/oauth2/device_authorize"; + private static final String DEFAULT_DEVICE_AUTHORIZATION_ENDPOINT_URI = "/oauth2/device_authorization"; private static final String DEFAULT_DEVICE_VERIFICATION_URI = "/oauth2/device_verification"; @@ -88,10 +88,10 @@ public final class OAuth2DeviceAuthorizationEndpointFilter extends OncePerReques private String verificationUri = DEFAULT_DEVICE_VERIFICATION_URI; /** - * Constructs an {@code OAuth2DeviceAuthorizationEndpointFilter} using the provided parameters. - * - * @param authenticationManager the authentication manager - */ + * Constructs an {@code OAuth2DeviceAuthorizationEndpointFilter} using the provided parameters. + * + * @param authenticationManager the authentication manager + */ public OAuth2DeviceAuthorizationEndpointFilter(AuthenticationManager authenticationManager) { this(authenticationManager, DEFAULT_DEVICE_AUTHORIZATION_ENDPOINT_URI); } diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2DeviceVerificationEndpointFilter.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2DeviceVerificationEndpointFilter.java index 1c256bc4..0b13c264 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2DeviceVerificationEndpointFilter.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2DeviceVerificationEndpointFilter.java @@ -79,6 +79,8 @@ import org.springframework.web.util.UriComponentsBuilder; */ public final class OAuth2DeviceVerificationEndpointFilter extends OncePerRequestFilter { + private static final String DEFAULT_DEVICE_VERIFICATION_URI = "/oauth2/device_verification"; + private final AuthenticationManager authenticationManager; private final RequestMatcher deviceVerificationEndpointMatcher; private final RedirectStrategy redirectStrategy = new DefaultRedirectStrategy(); @@ -90,7 +92,24 @@ public final class OAuth2DeviceVerificationEndpointFilter extends OncePerRequest private AuthenticationFailureHandler authenticationFailureHandler = this::sendErrorResponse; private String consentPage; + /** + * Construct an {@code OAuth2DeviceVerificationEndpointFilter} using the provided parameters. + * + * @param authenticationManager the authentication manager + */ + public OAuth2DeviceVerificationEndpointFilter(AuthenticationManager authenticationManager) { + this(authenticationManager, DEFAULT_DEVICE_VERIFICATION_URI); + } + + /** + * Construct an {@code OAuth2DeviceVerificationEndpointFilter} using the provided parameters. + * + * @param authenticationManager the authentication manager + * @param deviceVerificationEndpointUri the endpoint {@code URI} for device verification requests + */ public OAuth2DeviceVerificationEndpointFilter(AuthenticationManager authenticationManager, String deviceVerificationEndpointUri) { + Assert.notNull(authenticationManager, "authenticationManager cannot be null"); + Assert.hasText(deviceVerificationEndpointUri, "deviceVerificationEndpointUri cannot be empty"); this.authenticationManager = authenticationManager; this.deviceVerificationEndpointMatcher = createDefaultRequestMatcher(deviceVerificationEndpointUri); this.authenticationConverter = new DelegatingAuthenticationConverter( diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2DeviceAuthorizationConsentAuthenticationConverter.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2DeviceAuthorizationConsentAuthenticationConverter.java index b4c180b2..7d6f5bfc 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2DeviceAuthorizationConsentAuthenticationConverter.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2DeviceAuthorizationConsentAuthenticationConverter.java @@ -75,7 +75,10 @@ public final class OAuth2DeviceAuthorizationConsentAuthenticationConverter imple // client_id (REQUIRED) String clientId = parameters.getFirst(OAuth2ParameterNames.CLIENT_ID); if (!StringUtils.hasText(clientId) || parameters.get(OAuth2ParameterNames.CLIENT_ID).size() != 1) { - OAuth2EndpointUtils.throwError(OAuth2ErrorCodes.INVALID_REQUEST, OAuth2ParameterNames.CLIENT_ID, DEFAULT_ERROR_URI); + OAuth2EndpointUtils.throwError( + OAuth2ErrorCodes.INVALID_REQUEST, + OAuth2ParameterNames.CLIENT_ID, + DEFAULT_ERROR_URI); } Authentication principal = SecurityContextHolder.getContext().getAuthentication(); diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2DeviceAuthorizationRequestAuthenticationConverter.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2DeviceAuthorizationRequestAuthenticationConverter.java index ff795879..dfb23c98 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2DeviceAuthorizationRequestAuthenticationConverter.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2DeviceAuthorizationRequestAuthenticationConverter.java @@ -28,6 +28,7 @@ import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.oauth2.core.OAuth2ErrorCodes; import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames; import org.springframework.security.oauth2.server.authorization.authentication.OAuth2DeviceAuthorizationRequestAuthenticationToken; +import org.springframework.security.oauth2.server.authorization.web.OAuth2DeviceAuthorizationEndpointFilter; import org.springframework.security.web.authentication.AuthenticationConverter; import org.springframework.util.MultiValueMap; import org.springframework.util.StringUtils; @@ -40,6 +41,9 @@ import org.springframework.util.StringUtils; * * @author Steve Riesenberg * @since 1.1 + * @see AuthenticationConverter + * @see OAuth2DeviceAuthorizationRequestAuthenticationToken + * @see OAuth2DeviceAuthorizationEndpointFilter */ public final class OAuth2DeviceAuthorizationRequestAuthenticationConverter implements AuthenticationConverter { diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2DeviceCodeAuthenticationConverter.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2DeviceCodeAuthenticationConverter.java index 0652459e..d0fcaa27 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2DeviceCodeAuthenticationConverter.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2DeviceCodeAuthenticationConverter.java @@ -26,7 +26,7 @@ import org.springframework.security.oauth2.core.AuthorizationGrantType; import org.springframework.security.oauth2.core.OAuth2ErrorCodes; import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames; import org.springframework.security.oauth2.server.authorization.authentication.OAuth2DeviceCodeAuthenticationToken; -import org.springframework.security.oauth2.server.authorization.web.OAuth2DeviceAuthorizationEndpointFilter; +import org.springframework.security.oauth2.server.authorization.web.OAuth2TokenEndpointFilter; import org.springframework.security.web.authentication.AuthenticationConverter; import org.springframework.util.MultiValueMap; import org.springframework.util.StringUtils; @@ -41,7 +41,7 @@ import org.springframework.util.StringUtils; * @since 1.1 * @see AuthenticationConverter * @see OAuth2DeviceCodeAuthenticationToken - * @see OAuth2DeviceAuthorizationEndpointFilter + * @see OAuth2TokenEndpointFilter */ public final class OAuth2DeviceCodeAuthenticationConverter implements AuthenticationConverter {