Remove AuthorizedClient.getAuthorizedScopes()

Fixes gh-4696
8 years ago · 5237c6e01b
3 changed files with 14 additions and 18 deletions
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/AuthorizedClient.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/AuthorizedClient.java
@ -18,9 +18,6 @@ package org.springframework.security.oauth2.client.authentication;
 import org.springframework.security.oauth2.client.registration.ClientRegistration;
 import org.springframework.security.oauth2.core.AccessToken;
 import org.springframework.util.Assert;
 import org.springframework.util.CollectionUtils;
 import java.util.Set;
 /**
 * A representation of an OAuth 2.0 <i>&quot;Authorized Client&quot;</i>.
@ -63,14 +60,4 @@ public class AuthorizedClient {
 	public AccessToken getAccessToken() {
 		return this.accessToken;
 	}
 	public final Set<String> getAuthorizedScopes() {
 		// As per spec, in section 5.1 Successful Access Token Response
 		// https://tools.ietf.org/html/rfc6749#section-5.1
 		// If AccessToken.scopes is empty, then default to the scopes
 		// originally requested by the client in the Authorization Request
 		return (CollectionUtils.isEmpty(this.getAccessToken().getScopes()) ?
 			this.getClientRegistration().getScopes() :
 			this.getAccessToken().getScopes());
 	}
 }
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/NimbusAuthorizationCodeTokenExchanger.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/NimbusAuthorizationCodeTokenExchanger.java
@ -41,7 +41,6 @@ import org.springframework.util.CollectionUtils;
 import java.io.IOException;
 import java.net.URI;
 import java.util.Collections;
 import java.util.LinkedHashMap;
 import java.util.LinkedHashSet;
 import java.util.Map;
@ -122,10 +121,20 @@ public class NimbusAuthorizationCodeTokenExchanger implements AuthorizationGrant
 			accessTokenType = AccessToken.TokenType.BEARER;
 		}
 		long expiresIn = accessTokenResponse.getTokens().getAccessToken().getLifetime();
-		Set<String> scopes = Collections.emptySet();
+
-		if (!CollectionUtils.isEmpty(accessTokenResponse.getTokens().getAccessToken().getScope())) {
+		// As per spec, in section 5.1 Successful Access Token Response
-			scopes = new LinkedHashSet<>(accessTokenResponse.getTokens().getAccessToken().getScope().toStringList());
+		// https://tools.ietf.org/html/rfc6749#section-5.1
 		// If AccessTokenResponse.scope is empty, then default to the scope
 		// originally requested by the client in the Authorization Request
 		Set<String> scopes;
 		if (CollectionUtils.isEmpty(accessTokenResponse.getTokens().getAccessToken().getScope())) {
 			scopes = new LinkedHashSet<>(
 				authorizationCodeAuthentication.getAuthorizationExchange().getAuthorizationRequest().getScopes());
 		} else {
 			scopes = new LinkedHashSet<>(
 				accessTokenResponse.getTokens().getAccessToken().getScope().toStringList());
 		}
 		Map<String, Object> additionalParameters = new LinkedHashMap<>(accessTokenResponse.getCustomParameters());
 		return TokenResponse.withToken(accessToken)
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/oidc/client/authentication/userinfo/OidcUserService.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/oidc/client/authentication/userinfo/OidcUserService.java
@ -110,7 +110,7 @@ public class OidcUserService implements OAuth2UserService {
 			oidcAuthorizedClient.getClientRegistration().getAuthorizationGrantType())) {
 			// Return true if there is at least one match between the authorized scope(s) and UserInfo scope(s)
-			return oidcAuthorizedClient.getAuthorizedScopes().stream().anyMatch(userInfoScopes::contains);
+			return oidcAuthorizedClient.getAccessToken().getScopes().stream().anyMatch(userInfoScopes::contains);
 		}
 		return false;