|
|
|
|
@ -43,6 +43,7 @@ import org.springframework.security.oauth2.client.endpoint.OAuth2AccessTokenResp
@@ -43,6 +43,7 @@ import org.springframework.security.oauth2.client.endpoint.OAuth2AccessTokenResp
|
|
|
|
|
import org.springframework.security.oauth2.client.endpoint.OAuth2AuthorizationCodeGrantRequest; |
|
|
|
|
import org.springframework.security.oauth2.client.registration.ClientRegistration; |
|
|
|
|
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository; |
|
|
|
|
import org.springframework.security.oauth2.client.userinfo.OAuth2UserRequest; |
|
|
|
|
import org.springframework.security.oauth2.client.userinfo.OAuth2UserService; |
|
|
|
|
import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter; |
|
|
|
|
import org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter; |
|
|
|
|
@ -51,6 +52,7 @@ import org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenRespon
@@ -51,6 +52,7 @@ import org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenRespon
|
|
|
|
|
import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationResponseType; |
|
|
|
|
import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames; |
|
|
|
|
import org.springframework.security.oauth2.core.user.DefaultOAuth2User; |
|
|
|
|
import org.springframework.security.oauth2.core.user.OAuth2User; |
|
|
|
|
import org.springframework.security.oauth2.core.user.OAuth2UserAuthority; |
|
|
|
|
import org.springframework.test.context.junit4.SpringRunner; |
|
|
|
|
import org.springframework.web.util.UriComponents; |
|
|
|
|
@ -74,10 +76,11 @@ import static org.mockito.Mockito.when;
@@ -74,10 +76,11 @@ import static org.mockito.Mockito.when;
|
|
|
|
|
|
|
|
|
|
/** |
|
|
|
|
* Integration tests for the OAuth 2.0 client filters {@link OAuth2AuthorizationRequestRedirectFilter} |
|
|
|
|
* and {@link OAuth2LoginAuthenticationFilter}. |
|
|
|
|
* These filters work together to realize the Authorization Code Grant flow. |
|
|
|
|
* and {@link OAuth2LoginAuthenticationFilter}. These filters work together to realize |
|
|
|
|
* OAuth 2.0 Login leveraging the Authorization Code Grant flow. |
|
|
|
|
* |
|
|
|
|
* @author Joe Grandja |
|
|
|
|
* @since 5.0 |
|
|
|
|
*/ |
|
|
|
|
@RunWith(SpringRunner.class) |
|
|
|
|
@SpringBootTest |
|
|
|
|
@ -92,18 +95,9 @@ public class OAuth2LoginApplicationTests {
@@ -92,18 +95,9 @@ public class OAuth2LoginApplicationTests {
|
|
|
|
|
@Autowired |
|
|
|
|
private ClientRegistrationRepository clientRegistrationRepository; |
|
|
|
|
|
|
|
|
|
private ClientRegistration googleClientRegistration; |
|
|
|
|
private ClientRegistration githubClientRegistration; |
|
|
|
|
private ClientRegistration facebookClientRegistration; |
|
|
|
|
private ClientRegistration oktaClientRegistration; |
|
|
|
|
|
|
|
|
|
@Before |
|
|
|
|
public void setup() { |
|
|
|
|
this.webClient.getCookieManager().clearCookies(); |
|
|
|
|
this.googleClientRegistration = this.clientRegistrationRepository.findByRegistrationId("google"); |
|
|
|
|
this.githubClientRegistration = this.clientRegistrationRepository.findByRegistrationId("github"); |
|
|
|
|
this.facebookClientRegistration = this.clientRegistrationRepository.findByRegistrationId("facebook"); |
|
|
|
|
this.oktaClientRegistration = this.clientRegistrationRepository.findByRegistrationId("okta"); |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
@Test |
|
|
|
|
@ -122,7 +116,9 @@ public class OAuth2LoginApplicationTests {
@@ -122,7 +116,9 @@ public class OAuth2LoginApplicationTests {
|
|
|
|
|
public void requestAuthorizeGitHubClientWhenLinkClickedThenStatusRedirectForAuthorization() throws Exception { |
|
|
|
|
HtmlPage page = this.webClient.getPage("/"); |
|
|
|
|
|
|
|
|
|
HtmlAnchor clientAnchorElement = this.getClientAnchorElement(page, this.githubClientRegistration); |
|
|
|
|
ClientRegistration clientRegistration = this.clientRegistrationRepository.findByRegistrationId("github"); |
|
|
|
|
|
|
|
|
|
HtmlAnchor clientAnchorElement = this.getClientAnchorElement(page, clientRegistration); |
|
|
|
|
assertThat(clientAnchorElement).isNotNull(); |
|
|
|
|
|
|
|
|
|
WebResponse response = this.followLinkDisableRedirects(clientAnchorElement); |
|
|
|
|
@ -135,16 +131,16 @@ public class OAuth2LoginApplicationTests {
@@ -135,16 +131,16 @@ public class OAuth2LoginApplicationTests {
|
|
|
|
|
UriComponents uriComponents = UriComponentsBuilder.fromUri(URI.create(authorizeRedirectUri)).build(); |
|
|
|
|
|
|
|
|
|
String requestUri = uriComponents.getScheme() + "://" + uriComponents.getHost() + uriComponents.getPath(); |
|
|
|
|
assertThat(requestUri).isEqualTo(this.githubClientRegistration.getProviderDetails().getAuthorizationUri().toString()); |
|
|
|
|
assertThat(requestUri).isEqualTo(clientRegistration.getProviderDetails().getAuthorizationUri()); |
|
|
|
|
|
|
|
|
|
Map<String, String> params = uriComponents.getQueryParams().toSingleValueMap(); |
|
|
|
|
|
|
|
|
|
assertThat(params.get(OAuth2ParameterNames.RESPONSE_TYPE)).isEqualTo(OAuth2AuthorizationResponseType.CODE.getValue()); |
|
|
|
|
assertThat(params.get(OAuth2ParameterNames.CLIENT_ID)).isEqualTo(this.githubClientRegistration.getClientId()); |
|
|
|
|
String redirectUri = AUTHORIZE_BASE_URL + "/" + this.githubClientRegistration.getRegistrationId(); |
|
|
|
|
assertThat(params.get(OAuth2ParameterNames.CLIENT_ID)).isEqualTo(clientRegistration.getClientId()); |
|
|
|
|
String redirectUri = AUTHORIZE_BASE_URL + "/" + clientRegistration.getRegistrationId(); |
|
|
|
|
assertThat(URLDecoder.decode(params.get(OAuth2ParameterNames.REDIRECT_URI), "UTF-8")).isEqualTo(redirectUri); |
|
|
|
|
assertThat(URLDecoder.decode(params.get(OAuth2ParameterNames.SCOPE), "UTF-8")) |
|
|
|
|
.isEqualTo(this.githubClientRegistration.getScopes().stream().collect(Collectors.joining(" "))); |
|
|
|
|
.isEqualTo(clientRegistration.getScopes().stream().collect(Collectors.joining(" "))); |
|
|
|
|
assertThat(params.get(OAuth2ParameterNames.STATE)).isNotNull(); |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
@ -152,7 +148,9 @@ public class OAuth2LoginApplicationTests {
@@ -152,7 +148,9 @@ public class OAuth2LoginApplicationTests {
|
|
|
|
|
public void requestAuthorizeClientWhenInvalidClientThenStatusBadRequest() throws Exception { |
|
|
|
|
HtmlPage page = this.webClient.getPage("/"); |
|
|
|
|
|
|
|
|
|
HtmlAnchor clientAnchorElement = this.getClientAnchorElement(page, this.googleClientRegistration); |
|
|
|
|
ClientRegistration clientRegistration = this.clientRegistrationRepository.findByRegistrationId("google"); |
|
|
|
|
|
|
|
|
|
HtmlAnchor clientAnchorElement = this.getClientAnchorElement(page, clientRegistration); |
|
|
|
|
assertThat(clientAnchorElement).isNotNull(); |
|
|
|
|
clientAnchorElement.setAttribute("href", clientAnchorElement.getHrefAttribute() + "-invalid"); |
|
|
|
|
|
|
|
|
|
@ -170,7 +168,9 @@ public class OAuth2LoginApplicationTests {
@@ -170,7 +168,9 @@ public class OAuth2LoginApplicationTests {
|
|
|
|
|
public void requestAuthorizationCodeGrantWhenValidAuthorizationResponseThenDisplayIndexPage() throws Exception { |
|
|
|
|
HtmlPage page = this.webClient.getPage("/"); |
|
|
|
|
|
|
|
|
|
HtmlAnchor clientAnchorElement = this.getClientAnchorElement(page, this.githubClientRegistration); |
|
|
|
|
ClientRegistration clientRegistration = this.clientRegistrationRepository.findByRegistrationId("github"); |
|
|
|
|
|
|
|
|
|
HtmlAnchor clientAnchorElement = this.getClientAnchorElement(page, clientRegistration); |
|
|
|
|
assertThat(clientAnchorElement).isNotNull(); |
|
|
|
|
|
|
|
|
|
WebResponse response = this.followLinkDisableRedirects(clientAnchorElement); |
|
|
|
|
@ -199,9 +199,11 @@ public class OAuth2LoginApplicationTests {
@@ -199,9 +199,11 @@ public class OAuth2LoginApplicationTests {
|
|
|
|
|
URL loginPageUrl = page.getBaseURL(); |
|
|
|
|
URL loginErrorPageUrl = new URL(loginPageUrl.toString() + "?error"); |
|
|
|
|
|
|
|
|
|
ClientRegistration clientRegistration = this.clientRegistrationRepository.findByRegistrationId("google"); |
|
|
|
|
|
|
|
|
|
String code = "auth-code"; |
|
|
|
|
String state = "state"; |
|
|
|
|
String redirectUri = AUTHORIZE_BASE_URL + "/" + this.googleClientRegistration.getRegistrationId(); |
|
|
|
|
String redirectUri = AUTHORIZE_BASE_URL + "/" + clientRegistration.getRegistrationId(); |
|
|
|
|
|
|
|
|
|
String authorizationResponseUri = |
|
|
|
|
UriComponentsBuilder.fromHttpUrl(redirectUri) |
|
|
|
|
@ -227,13 +229,15 @@ public class OAuth2LoginApplicationTests {
@@ -227,13 +229,15 @@ public class OAuth2LoginApplicationTests {
|
|
|
|
|
URL loginPageUrl = page.getBaseURL(); |
|
|
|
|
URL loginErrorPageUrl = new URL(loginPageUrl.toString() + "?error"); |
|
|
|
|
|
|
|
|
|
HtmlAnchor clientAnchorElement = this.getClientAnchorElement(page, this.googleClientRegistration); |
|
|
|
|
ClientRegistration clientRegistration = this.clientRegistrationRepository.findByRegistrationId("google"); |
|
|
|
|
|
|
|
|
|
HtmlAnchor clientAnchorElement = this.getClientAnchorElement(page, clientRegistration); |
|
|
|
|
assertThat(clientAnchorElement).isNotNull(); |
|
|
|
|
this.followLinkDisableRedirects(clientAnchorElement); |
|
|
|
|
|
|
|
|
|
String code = "auth-code"; |
|
|
|
|
String state = "invalid-state"; |
|
|
|
|
String redirectUri = AUTHORIZE_BASE_URL + "/" + this.githubClientRegistration.getRegistrationId(); |
|
|
|
|
String redirectUri = AUTHORIZE_BASE_URL + "/" + clientRegistration.getRegistrationId(); |
|
|
|
|
|
|
|
|
|
String authorizationResponseUri = |
|
|
|
|
UriComponentsBuilder.fromHttpUrl(redirectUri) |
|
|
|
|
@ -255,7 +259,9 @@ public class OAuth2LoginApplicationTests {
@@ -255,7 +259,9 @@ public class OAuth2LoginApplicationTests {
|
|
|
|
|
URL loginPageUrl = page.getBaseURL(); |
|
|
|
|
URL loginErrorPageUrl = new URL(loginPageUrl.toString() + "?error"); |
|
|
|
|
|
|
|
|
|
HtmlAnchor clientAnchorElement = this.getClientAnchorElement(page, this.googleClientRegistration); |
|
|
|
|
ClientRegistration clientRegistration = this.clientRegistrationRepository.findByRegistrationId("google"); |
|
|
|
|
|
|
|
|
|
HtmlAnchor clientAnchorElement = this.getClientAnchorElement(page, clientRegistration); |
|
|
|
|
assertThat(clientAnchorElement).isNotNull(); |
|
|
|
|
|
|
|
|
|
WebResponse response = this.followLinkDisableRedirects(clientAnchorElement); |
|
|
|
|
@ -291,21 +297,26 @@ public class OAuth2LoginApplicationTests {
@@ -291,21 +297,26 @@ public class OAuth2LoginApplicationTests {
|
|
|
|
|
List<HtmlAnchor> clientAnchorElements = page.getAnchors(); |
|
|
|
|
assertThat(clientAnchorElements.size()).isEqualTo(expectedClients); |
|
|
|
|
|
|
|
|
|
ClientRegistration googleClientRegistration = this.clientRegistrationRepository.findByRegistrationId("google"); |
|
|
|
|
ClientRegistration githubClientRegistration = this.clientRegistrationRepository.findByRegistrationId("github"); |
|
|
|
|
ClientRegistration facebookClientRegistration = this.clientRegistrationRepository.findByRegistrationId("facebook"); |
|
|
|
|
ClientRegistration oktaClientRegistration = this.clientRegistrationRepository.findByRegistrationId("okta"); |
|
|
|
|
|
|
|
|
|
String baseAuthorizeUri = AUTHORIZATION_BASE_URI + "/"; |
|
|
|
|
String googleClientAuthorizeUri = baseAuthorizeUri + this.googleClientRegistration.getRegistrationId(); |
|
|
|
|
String githubClientAuthorizeUri = baseAuthorizeUri + this.githubClientRegistration.getRegistrationId(); |
|
|
|
|
String facebookClientAuthorizeUri = baseAuthorizeUri + this.facebookClientRegistration.getRegistrationId(); |
|
|
|
|
String oktaClientAuthorizeUri = baseAuthorizeUri + this.oktaClientRegistration.getRegistrationId(); |
|
|
|
|
String googleClientAuthorizeUri = baseAuthorizeUri + googleClientRegistration.getRegistrationId(); |
|
|
|
|
String githubClientAuthorizeUri = baseAuthorizeUri + githubClientRegistration.getRegistrationId(); |
|
|
|
|
String facebookClientAuthorizeUri = baseAuthorizeUri + facebookClientRegistration.getRegistrationId(); |
|
|
|
|
String oktaClientAuthorizeUri = baseAuthorizeUri + oktaClientRegistration.getRegistrationId(); |
|
|
|
|
|
|
|
|
|
for (int i=0; i<expectedClients; i++) { |
|
|
|
|
assertThat(clientAnchorElements.get(i).getAttribute("href")).isIn( |
|
|
|
|
googleClientAuthorizeUri, githubClientAuthorizeUri, |
|
|
|
|
facebookClientAuthorizeUri, oktaClientAuthorizeUri); |
|
|
|
|
assertThat(clientAnchorElements.get(i).asText()).isIn( |
|
|
|
|
this.googleClientRegistration.getClientName(), |
|
|
|
|
this.githubClientRegistration.getClientName(), |
|
|
|
|
this.facebookClientRegistration.getClientName(), |
|
|
|
|
this.oktaClientRegistration.getClientName()); |
|
|
|
|
googleClientRegistration.getClientName(), |
|
|
|
|
githubClientRegistration.getClientName(), |
|
|
|
|
facebookClientRegistration.getClientName(), |
|
|
|
|
oktaClientRegistration.getClientName()); |
|
|
|
|
} |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
@ -321,7 +332,7 @@ public class OAuth2LoginApplicationTests {
@@ -321,7 +332,7 @@ public class OAuth2LoginApplicationTests {
|
|
|
|
|
Optional<HtmlAnchor> clientAnchorElement = page.getAnchors().stream() |
|
|
|
|
.filter(e -> e.asText().equals(clientRegistration.getClientName())).findFirst(); |
|
|
|
|
|
|
|
|
|
return (clientAnchorElement.isPresent() ? clientAnchorElement.get() : null); |
|
|
|
|
return (clientAnchorElement.orElse(null)); |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
private WebResponse followLinkDisableRedirects(HtmlAnchor anchorElement) throws Exception { |
|
|
|
|
@ -353,7 +364,7 @@ public class OAuth2LoginApplicationTests {
@@ -353,7 +364,7 @@ public class OAuth2LoginApplicationTests {
|
|
|
|
|
.accessTokenResponseClient(this.mockAccessTokenResponseClient()) |
|
|
|
|
.and() |
|
|
|
|
.userInfoEndpoint() |
|
|
|
|
.userService(this.mockUserInfoService()); |
|
|
|
|
.userService(this.mockUserService()); |
|
|
|
|
} |
|
|
|
|
// @formatter:on
|
|
|
|
|
|
|
|
|
|
@ -363,12 +374,12 @@ public class OAuth2LoginApplicationTests {
@@ -363,12 +374,12 @@ public class OAuth2LoginApplicationTests {
|
|
|
|
|
.expiresIn(60 * 1000) |
|
|
|
|
.build(); |
|
|
|
|
|
|
|
|
|
OAuth2AccessTokenResponseClient mock = mock(OAuth2AccessTokenResponseClient.class); |
|
|
|
|
when(mock.getTokenResponse(any())).thenReturn(accessTokenResponse); |
|
|
|
|
return mock; |
|
|
|
|
OAuth2AccessTokenResponseClient tokenResponseClient = mock(OAuth2AccessTokenResponseClient.class); |
|
|
|
|
when(tokenResponseClient.getTokenResponse(any())).thenReturn(accessTokenResponse); |
|
|
|
|
return tokenResponseClient; |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
private OAuth2UserService mockUserInfoService() { |
|
|
|
|
private OAuth2UserService<OAuth2UserRequest, OAuth2User> mockUserService() { |
|
|
|
|
Map<String, Object> attributes = new HashMap<>(); |
|
|
|
|
attributes.put("id", "joeg"); |
|
|
|
|
attributes.put("first-name", "Joe"); |
|
|
|
|
@ -381,9 +392,9 @@ public class OAuth2LoginApplicationTests {
@@ -381,9 +392,9 @@ public class OAuth2LoginApplicationTests {
|
|
|
|
|
|
|
|
|
|
DefaultOAuth2User user = new DefaultOAuth2User(authorities, attributes, "email"); |
|
|
|
|
|
|
|
|
|
OAuth2UserService mock = mock(OAuth2UserService.class); |
|
|
|
|
when(mock.loadUser(any())).thenReturn(user); |
|
|
|
|
return mock; |
|
|
|
|
OAuth2UserService userService = mock(OAuth2UserService.class); |
|
|
|
|
when(userService.loadUser(any())).thenReturn(user); |
|
|
|
|
return userService; |
|
|
|
|
} |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
Joe Grandja
8 years ago