GitHub-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Add RestClient interceptor 

Closes gh-13588
pull/15634/head
Steve Riesenberg 2 years ago
parent
b294816600
commit
e3c19ba86c
4 changed files with 1432 additions and 71 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 337
      docs/modules/ROOT/pages/servlet/oauth2/index.adoc
  2. 381
      oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/client/OAuth2ClientHttpRequestInterceptor.java
  3. 60
      oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/client/RequestAttributeClientRegistrationIdResolver.java
  4. 725
      oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/function/client/OAuth2ClientHttpRequestInterceptorTests.java

337
docs/modules/ROOT/pages/servlet/oauth2/index.adoc
Unescape View File

@ -398,13 +398,14 @@ See xref:getting-spring-security.adoc[] for additional options when not using Sp
Consider the following use cases for OAuth2 Client: Consider the following use cases for OAuth2 Client:
* <<oauth2-client-log-users-in,I want to log users in using OAuth 2.0 or OpenID Connect 1.0>> * I want to <<oauth2-client-log-users-in,log users in using OAuth 2.0 or OpenID Connect 1.0>>
* <<oauth2-client-access-protected-resources,I want to obtain an access token for users in order to access a third-party API>> * I want to <<oauth2-client-access-protected-resources,use `RestClient` to obtain an access token for users in order to access a third-party API>>
* <<oauth2-client-access-protected-resources-current-user,I want to do both>> (log users in _and_ access a third-party API) * I want to <<oauth2-client-access-protected-resources-current-user,do both>> (log users in _and_ access a third-party API)
* <<oauth2-client-enable-extension-grant-type,I want to enable an extension grant type>> * I want to <<oauth2-client-access-protected-resources-webclient,use `WebClient` to obtain an access token for users in order to access a third-party API>>
* <<oauth2-client-customize-existing-grant-type,I want to customize an existing grant type>> * I want to <<oauth2-client-enable-extension-grant-type,enable an extension grant type>>
* <<oauth2-client-customize-request-parameters,I want to customize token request parameters>> * I want to <<oauth2-client-customize-existing-grant-type,customize an existing grant type>>
* <<oauth2-client-customize-rest-operations,I want to customize the `RestOperations` used by OAuth2 Client components>> * I want to <<oauth2-client-customize-request-parameters,customize token request parameters>>
* I want to <<oauth2-client-customize-rest-operations,customize the `RestOperations` used by OAuth2 Client components>>
[[oauth2-client-log-users-in]] [[oauth2-client-log-users-in]]
=== Log Users In with OAuth2 === Log Users In with OAuth2
@ -584,38 +585,11 @@ Spring Security provides implementations of `OAuth2AuthorizedClientManager` for
Spring Security registers a default `OAuth2AuthorizedClientManager` bean for you when one does not exist. Spring Security registers a default `OAuth2AuthorizedClientManager` bean for you when one does not exist.
==== ====
The easiest way to use an `OAuth2AuthorizedClientManager` is via an `ExchangeFilterFunction` that intercepts requests through a `WebClient`. The easiest way to use an `OAuth2AuthorizedClientManager` is via a `ClientHttpRequestInterceptor` that intercepts requests through a `RestClient`, which is already available when `spring-web` is on the classpath.
To use `WebClient`, you will need to add the `spring-webflux` dependency along with a reactive client implementation:
.Add Spring WebFlux Dependency The following example uses the default `OAuth2AuthorizedClientManager` to configure a `RestClient` capable of accessing protected resources by placing `Bearer` tokens in the `Authorization` header of each request:
[tabs]
======
Gradle::
+
[source,gradle,role="primary"]
----
implementation 'org.springframework:spring-webflux'
implementation 'io.projectreactor.netty:reactor-netty'
----
Maven:: .Configure `RestClient` with `ClientHttpRequestInterceptor`
+
[source,maven,role="secondary"]
----
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webflux</artifactId>
</dependency>
<dependency>
<groupId>io.projectreactor.netty</groupId>
<artifactId>reactor-netty</artifactId>
</dependency>
----
======
The following example uses the default `OAuth2AuthorizedClientManager` to configure a `WebClient` capable of accessing protected resources by placing `Bearer` tokens in the `Authorization` header of each request:
.Configure `WebClient` with `ExchangeFilterFunction`
[tabs] [tabs]
===== =====
Java:: Java::
@ -623,14 +597,14 @@ Java::
[source,java,role="primary"] [source,java,role="primary"]
---- ----
@Configuration @Configuration
public class WebClientConfig { public class RestClientConfig {
@Bean @Bean
public WebClient webClient(OAuth2AuthorizedClientManager authorizedClientManager) { public RestClient restClient(OAuth2AuthorizedClientManager authorizedClientManager) {
ServletOAuth2AuthorizedClientExchangeFilterFunction filter = OAuth2ClientHttpRequestInterceptor requestInterceptor =
new ServletOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager); new OAuth2ClientHttpRequestInterceptor(authorizedClientManager);
return WebClient.builder() return RestClient.builder()
.apply(filter.oauth2Configuration()) .requestInterceptor(requestInterceptor)
.build(); .build();
} }
@ -642,13 +616,13 @@ Kotlin::
[source,kotlin,role="secondary"] [source,kotlin,role="secondary"]
---- ----
@Configuration @Configuration
class WebClientConfig { class RestClientConfig {
@Bean @Bean
fun webClient(authorizedClientManager: OAuth2AuthorizedClientManager): WebClient { fun restClient(authorizedClientManager: OAuth2AuthorizedClientManager): RestClient {
val filter = ServletOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager) val requestInterceptor = OAuth2ClientHttpRequestInterceptor(authorizedClientManager)
return WebClient.builder() return RestClient.builder()
.apply(filter.oauth2Configuration()) .requestInterceptor(requestInterceptor)
.build() .build()
} }
@ -656,35 +630,35 @@ class WebClientConfig {
---- ----
===== =====
This configured `WebClient` can be used as in the following example: This configured `RestClient` can be used as in the following example:
[[oauth2-client-accessing-protected-resources-example]] [[oauth2-client-accessing-protected-resources-example]]
.Use `WebClient` to Access Protected Resources .Use `RestClient` to Access Protected Resources
[tabs] [tabs]
===== =====
Java:: Java::
+ +
[source,java,role="primary"] [source,java,role="primary"]
---- ----
import static org.springframework.security.oauth2.client.web.reactive.function.client.ServletOAuth2AuthorizedClientExchangeFilterFunction.clientRegistrationId; import static org.springframework.security.oauth2.client.web.client.RequestAttributeClientRegistrationIdResolver.clientRegistrationId;
@RestController @RestController
public class MessagesController { public class MessagesController {
private final WebClient webClient; private final RestClient restClient;
public MessagesController(WebClient webClient) { public MessagesController(RestClient restClient) {
this.webClient = webClient; this.restClient = restClient;
} }
@GetMapping("/messages") @GetMapping("/messages")
public ResponseEntity<List<Message>> messages() { public ResponseEntity<List<Message>> messages() {
return this.webClient.get() Message[] messages = this.restClient.get()
.uri("http://localhost:8090/messages") .uri("http://localhost:8090/messages")
.attributes(clientRegistrationId("my-oauth2-client")) .attributes(clientRegistrationId("my-oauth2-client"))
.retrieve() .retrieve()
.toEntityList(Message.class) .body(Message[].class);
.block(); return ResponseEntity.ok(Arrays.asList(messages));
} }
public record Message(String message) { public record Message(String message) {
@ -697,19 +671,21 @@ Kotlin::
+ +
[source,kotlin,role="secondary"] [source,kotlin,role="secondary"]
---- ----
import org.springframework.security.oauth2.client.web.reactive.function.client.ServletOAuth2AuthorizedClientExchangeFilterFunction.clientRegistrationId import org.springframework.security.oauth2.client.web.client.RequestAttributeClientRegistrationIdResolver.clientRegistrationId
import org.springframework.web.client.body
@RestController @RestController
class MessagesController(private val webClient: WebClient) { class MessagesController(private val restClient: RestClient) {
@GetMapping("/messages") @GetMapping("/messages")
fun messages(): ResponseEntity<List<Message>> { fun messages(): ResponseEntity<List<Message>> {
return webClient.get() val messages = restClient.get()
.uri("http://localhost:8090/messages") .uri("http://localhost:8090/messages")
.attributes(clientRegistrationId("my-oauth2-client")) .attributes(clientRegistrationId("my-oauth2-client"))
.retrieve() .retrieve()
.toEntityList<Message>() .body<Array<Message>>()!!
.block()!! .toList()
return ResponseEntity.ok(messages)
} }
data class Message(val message: String) data class Message(val message: String)
@ -815,7 +791,227 @@ Spring Security provides implementations of `OAuth2AuthorizedClientManager` for
Spring Security registers a default `OAuth2AuthorizedClientManager` bean for you when one does not exist. Spring Security registers a default `OAuth2AuthorizedClientManager` bean for you when one does not exist.
==== ====
The easiest way to use an `OAuth2AuthorizedClientManager` is via an `ExchangeFilterFunction` that intercepts requests through a `WebClient`. The easiest way to use an `OAuth2AuthorizedClientManager` is via a `ClientHttpRequestInterceptor` that intercepts requests through a `RestClient`, which is already available when `spring-web` is on the classpath.
The following example uses the default `OAuth2AuthorizedClientManager` to configure a `RestClient` capable of accessing protected resources by placing `Bearer` tokens in the `Authorization` header of each request:
.Configure `RestClient` with `ClientHttpRequestInterceptor`
[tabs]
=====
Java::
+
[source,java,role="primary"]
----
@Configuration
public class RestClientConfig {
@Bean
public RestClient restClient(OAuth2AuthorizedClientManager authorizedClientManager) {
OAuth2ClientHttpRequestInterceptor requestInterceptor =
new OAuth2ClientHttpRequestInterceptor(authorizedClientManager, clientRegistrationIdResolver());
return RestClient.builder()
.requestInterceptor(requestInterceptor)
.build();
}
private static ClientRegistrationIdResolver clientRegistrationIdResolver() {
return (request) -> {
Authentication authentication = SecurityContextHolder.getAuthentication();
return (authentication instanceof OAuth2AuthenticationToken principal)
? principal.getAuthorizedClientRegistrationId()
: null;
};
}
}
----
Kotlin::
+
[source,kotlin,role="secondary"]
----
@Configuration
class RestClientConfig {
@Bean
fun restClient(authorizedClientManager: OAuth2AuthorizedClientManager): RestClient {
val requestInterceptor = OAuth2ClientHttpRequestInterceptor(authorizedClientManager, clientRegistrationIdResolver())
return RestClient.builder()
.requestInterceptor(requestInterceptor)
.build()
}
private fun clientRegistrationIdResolver(): OAuth2ClientHttpRequestInterceptor.ClientRegistrationIdResolver {
return OAuth2ClientHttpRequestInterceptor.ClientRegistrationIdResolver { request ->
val authentication = SecurityContextHolder.getContext().authentication
if (authentication is OAuth2AuthenticationToken) {
authentication.authorizedClientRegistrationId
} else {
null
}
}
}
}
----
=====
This configured `RestClient` can be used as in the following example:
[[oauth2-client-accessing-protected-resources-current-user-example]]
.Use `RestClient` to Access Protected Resources (Current User)
[tabs]
=====
Java::
+
[source,java,role="primary"]
----
@RestController
public class MessagesController {
private final RestClient restClient;
public MessagesController(RestClient restClient) {
this.restClient = restClient;
}
@GetMapping("/messages")
public ResponseEntity<List<Message>> messages() {
Message[] messages = this.restClient.get()
.uri("http://localhost:8090/messages")
.retrieve()
.body(Message[].class);
return ResponseEntity.ok(Arrays.asList(messages));
}
public record Message(String message) {
}
}
----
Kotlin::
+
[source,kotlin,role="secondary"]
----
import org.springframework.web.client.body
@RestController
class MessagesController(private val restClient: RestClient) {
@GetMapping("/messages")
fun messages(): ResponseEntity<List<Message>> {
val messages = restClient.get()
.uri("http://localhost:8090/messages")
.retrieve()
.body<Array<Message>>()!!
.toList()
return ResponseEntity.ok(messages)
}
data class Message(val message: String)
}
----
=====
[NOTE]
====
Unlike the <<oauth2-client-accessing-protected-resources-example,previous example>>, notice that we do not need to tell Spring Security about the `clientRegistrationId` we'd like to use.
This is because it can be derived from the currently logged in user.
====
[[oauth2-client-access-protected-resources-webclient]]
=== Access Protected Resources with `WebClient`
Making requests to a third party API that is protected by OAuth2 is a core use case of OAuth2 Client.
This is accomplished by authorizing a client (represented by the `OAuth2AuthorizedClient` class in Spring Security) and accessing protected resources by placing a `Bearer` token in the `Authorization` header of an outbound request.
The following example configures the application to act as an OAuth2 Client capable of requesting protected resources from a third party API:
.Configure OAuth2 Client
[tabs]
=====
Java::
+
[source,java,role="primary"]
----
@Configuration
@EnableWebSecurity
public class SecurityConfig {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
// ...
.oauth2Client(Customizer.withDefaults());
return http.build();
}
}
----
Kotlin::
+
[source,kotlin,role="secondary"]
----
import org.springframework.security.config.annotation.web.invoke
@Configuration
@EnableWebSecurity
class SecurityConfig {
@Bean
fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
http {
// ...
oauth2Client { }
}
return http.build()
}
}
----
=====
[NOTE]
====
The above example does not provide a way to log users in.
You can use any other login mechanism (such as `formLogin()`).
See the <<oauth2-client-access-protected-resources-current-user,previous section>> for an example combining `oauth2Client()` with `oauth2Login()`.
====
In addition to the above configuration, the application requires at least one `ClientRegistration` to be configured through the use of a `ClientRegistrationRepository` bean.
The following example configures an `InMemoryClientRegistrationRepository` bean using Spring Boot configuration properties:
[source,yaml]
----
spring:
security:
oauth2:
client:
registration:
my-oauth2-client:
provider: my-auth-server
client-id: my-client-id
client-secret: my-client-secret
authorization-grant-type: authorization_code
scope: message.read,message.write
provider:
my-auth-server:
issuer-uri: https://my-auth-server.com
----
In addition to configuring Spring Security to support OAuth2 Client features, you will also need to decide how you will be accessing protected resources and configure your application accordingly.
Spring Security provides implementations of `OAuth2AuthorizedClientManager` for obtaining access tokens that can be used to access protected resources.
[TIP]
====
Spring Security registers a default `OAuth2AuthorizedClientManager` bean for you when one does not exist.
====
Another way to use an `OAuth2AuthorizedClientManager` is via an `ExchangeFilterFunction` that intercepts requests through a `WebClient`.
To use `WebClient`, you will need to add the `spring-webflux` dependency along with a reactive client implementation: To use `WebClient`, you will need to add the `spring-webflux` dependency along with a reactive client implementation:
.Add Spring WebFlux Dependency .Add Spring WebFlux Dependency
@ -889,14 +1085,15 @@ class WebClientConfig {
This configured `WebClient` can be used as in the following example: This configured `WebClient` can be used as in the following example:
[[oauth2-client-accessing-protected-resources-current-user-example]] .Use `WebClient` to Access Protected Resources
.Use `WebClient` to Access Protected Resources (Current User)
[tabs] [tabs]
===== =====
Java:: Java::
+ +
[source,java,role="primary"] [source,java,role="primary"]
---- ----
import static org.springframework.security.oauth2.client.web.reactive.function.client.ServletOAuth2AuthorizedClientExchangeFilterFunction.clientRegistrationId;
@RestController @RestController
public class MessagesController { public class MessagesController {
@ -910,6 +1107,7 @@ public class MessagesController {
public ResponseEntity<List<Message>> messages() { public ResponseEntity<List<Message>> messages() {
return this.webClient.get() return this.webClient.get()
.uri("http://localhost:8090/messages") .uri("http://localhost:8090/messages")
.attributes(clientRegistrationId("my-oauth2-client"))
.retrieve() .retrieve()
.toEntityList(Message.class) .toEntityList(Message.class)
.block(); .block();
@ -925,6 +1123,8 @@ Kotlin::
+ +
[source,kotlin,role="secondary"] [source,kotlin,role="secondary"]
---- ----
import org.springframework.security.oauth2.client.web.reactive.function.client.ServletOAuth2AuthorizedClientExchangeFilterFunction.clientRegistrationId
@RestController @RestController
class MessagesController(private val webClient: WebClient) { class MessagesController(private val webClient: WebClient) {
@ -932,6 +1132,7 @@ class MessagesController(private val webClient: WebClient) {
fun messages(): ResponseEntity<List<Message>> { fun messages(): ResponseEntity<List<Message>> {
return webClient.get() return webClient.get()
.uri("http://localhost:8090/messages") .uri("http://localhost:8090/messages")
.attributes(clientRegistrationId("my-oauth2-client"))
.retrieve() .retrieve()
.toEntityList<Message>() .toEntityList<Message>()
.block()!! .block()!!
@ -943,12 +1144,6 @@ class MessagesController(private val webClient: WebClient) {
---- ----
===== =====
[NOTE]
====
Unlike the <<oauth2-client-accessing-protected-resources-example,previous example>>, notice that we do not need to tell Spring Security about the `clientRegistrationId` we'd like to use.
This is because it can be derived from the currently logged in user.
====
[[oauth2-client-enable-extension-grant-type]] [[oauth2-client-enable-extension-grant-type]]
=== Enable an Extension Grant Type === Enable an Extension Grant Type

381
oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/client/OAuth2ClientHttpRequestInterceptor.java
Unescape View File

@ -0,0 +1,381 @@
/*
* Copyright 2002-2024 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.oauth2.client.web.client;
import java.io.IOException;
import java.util.HashMap;
import java.util.Map;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpRequest;
import org.springframework.http.HttpStatus;
import org.springframework.http.HttpStatusCode;
import org.springframework.http.client.ClientHttpRequestExecution;
import org.springframework.http.client.ClientHttpRequestInterceptor;
import org.springframework.http.client.ClientHttpResponse;
import org.springframework.lang.Nullable;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.context.SecurityContextHolderStrategy;
import org.springframework.security.oauth2.client.ClientAuthorizationException;
import org.springframework.security.oauth2.client.OAuth2AuthorizationFailureHandler;
import org.springframework.security.oauth2.client.OAuth2AuthorizeRequest;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClientManager;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClientProvider;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClientService;
import org.springframework.security.oauth2.client.RemoveAuthorizedClientOAuth2AuthorizationFailureHandler;
import org.springframework.security.oauth2.client.web.OAuth2AuthorizedClientRepository;
import org.springframework.security.oauth2.core.OAuth2AuthorizationException;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;
import org.springframework.web.client.RestClientResponseException;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;
/**
* Provides an easy mechanism for using an {@link OAuth2AuthorizedClient} to make OAuth
* 2.0 requests by including the {@link OAuth2AuthorizedClient#getAccessToken() access
* token} as a bearer token.
*
* <p>
* Example usage:
*
* <pre>
* OAuth2ClientHttpRequestInterceptor requestInterceptor =
* new OAuth2ClientHttpRequestInterceptor(authorizedClientManager);
* RestClient restClient = RestClient.builder()
* .requestInterceptor(requestInterceptor)
* .build();
* String response = restClient.get()
* .uri(uri)
* .retrieve()
* .body(String.class);
* </pre>
*
* <h3>Authentication and Authorization Failures</h3>
*
* <p>
* This interceptor has the ability to forward authentication (HTTP 401 Unauthorized) and
* authorization (HTTP 403 Forbidden) failures from an OAuth 2.0 Resource Server to an
* {@link OAuth2AuthorizationFailureHandler}. A
* {@link RemoveAuthorizedClientOAuth2AuthorizationFailureHandler} can be used to remove
* the cached {@link OAuth2AuthorizedClient}, so that future requests will result in a new
* token being retrieved from an Authorization Server, and sent to the Resource Server.
*
* <p>
* Use either {@link #authorizationFailureHandler(OAuth2AuthorizedClientRepository)} or
* {@link #authorizationFailureHandler(OAuth2AuthorizedClientService)} to create a
* {@link RemoveAuthorizedClientOAuth2AuthorizationFailureHandler} which can be provided
* to {@link #setAuthorizationFailureHandler(OAuth2AuthorizationFailureHandler)}.
*
* <p>
* For example:
*
* <pre>
* OAuth2AuthorizationFailureHandler authorizationFailureHandler =
* OAuth2ClientHttpRequestInterceptor.authorizationFailureHandler(authorizedClientRepository);
* requestInterceptor.setAuthorizationFailureHandler(authorizationFailureHandler);
* </pre>
*
* @author Steve Riesenberg
* @since 6.4
* @see OAuth2AuthorizedClientManager
* @see OAuth2AuthorizedClientProvider
* @see OAuth2AuthorizedClient
* @see OAuth2AuthorizationFailureHandler
*/
public final class OAuth2ClientHttpRequestInterceptor implements ClientHttpRequestInterceptor {
// @formatter:off
private static final Map<HttpStatusCode, String> OAUTH2_ERROR_CODES = Map.of(
HttpStatus.UNAUTHORIZED, OAuth2ErrorCodes.INVALID_TOKEN,
HttpStatus.FORBIDDEN, OAuth2ErrorCodes.INSUFFICIENT_SCOPE
);
// @formatter:on
private static final Authentication ANONYMOUS_AUTHENTICATION = new AnonymousAuthenticationToken("anonymous",
"anonymousUser", AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS"));
private final OAuth2AuthorizedClientManager authorizedClientManager;
private final ClientRegistrationIdResolver clientRegistrationIdResolver;
// @formatter:off
private OAuth2AuthorizationFailureHandler authorizationFailureHandler =
(clientRegistrationId, principal, attributes) -> { };
// @formatter:on
private SecurityContextHolderStrategy securityContextHolderStrategy = SecurityContextHolder
.getContextHolderStrategy();
/**
* Constructs a {@code OAuth2ClientHttpRequestInterceptor} using the provided
* parameters.
* @param authorizedClientManager the {@link OAuth2AuthorizedClientManager} which
* manages the authorized client(s)
*/
public OAuth2ClientHttpRequestInterceptor(OAuth2AuthorizedClientManager authorizedClientManager) {
this(authorizedClientManager, new RequestAttributeClientRegistrationIdResolver());
}
/**
* Constructs a {@code OAuth2ClientHttpRequestInterceptor} using the provided
* parameters.
* @param authorizedClientManager the {@link OAuth2AuthorizedClientManager} which
* manages the authorized client(s)
* @param clientRegistrationIdResolver the strategy for resolving a
* {@code clientRegistrationId} from the intercepted request
*/
public OAuth2ClientHttpRequestInterceptor(OAuth2AuthorizedClientManager authorizedClientManager,
ClientRegistrationIdResolver clientRegistrationIdResolver) {
Assert.notNull(authorizedClientManager, "authorizedClientManager cannot be null");
Assert.notNull(clientRegistrationIdResolver, "clientRegistrationIdResolver cannot be null");
this.authorizedClientManager = authorizedClientManager;
this.clientRegistrationIdResolver = clientRegistrationIdResolver;
}
/**
* Sets the {@link OAuth2AuthorizationFailureHandler} that handles authentication and
* authorization failures when communicating to the OAuth 2.0 Resource Server.
*
* <p>
* For example, a {@link RemoveAuthorizedClientOAuth2AuthorizationFailureHandler} is
* typically used to remove the cached {@link OAuth2AuthorizedClient}, so that the
* same token is no longer used in future requests to the Resource Server.
* @param authorizationFailureHandler the {@link OAuth2AuthorizationFailureHandler}
* that handles authentication and authorization failures
* @see #authorizationFailureHandler(OAuth2AuthorizedClientRepository)
* @see #authorizationFailureHandler(OAuth2AuthorizedClientService)
*/
public void setAuthorizationFailureHandler(OAuth2AuthorizationFailureHandler authorizationFailureHandler) {
Assert.notNull(authorizationFailureHandler, "authorizationFailureHandler cannot be null");
this.authorizationFailureHandler = authorizationFailureHandler;
}
/**
* Provides an {@link OAuth2AuthorizationFailureHandler} that handles authentication
* and authorization failures when communicating to the OAuth 2.0 Resource Server
* using a {@link OAuth2AuthorizedClientRepository}.
*
* <p>
* When this method is used, authentication (HTTP 401) and authorization (HTTP 403)
* failures returned from an OAuth 2.0 Resource Server will be forwarded to a
* {@link RemoveAuthorizedClientOAuth2AuthorizationFailureHandler}, which will
* potentially remove the {@link OAuth2AuthorizedClient} from the given
* {@link OAuth2AuthorizedClientRepository}, depending on the OAuth 2.0 error code
* returned. Authentication failures returned from an OAuth 2.0 Resource Server
* typically indicate that the token is invalid, and should not be used in future
* requests. Removing the authorized client from the repository will ensure that the
* existing token will not be sent for future requests to the Resource Server, and a
* new token is retrieved from the Authorization Server and used for future requests
* to the Resource Server.
* @param authorizedClientRepository the repository of authorized clients
* @see #setAuthorizationFailureHandler(OAuth2AuthorizationFailureHandler)
*/
public static OAuth2AuthorizationFailureHandler authorizationFailureHandler(
OAuth2AuthorizedClientRepository authorizedClientRepository) {
Assert.notNull(authorizedClientRepository, "authorizedClientRepository cannot be null");
return new RemoveAuthorizedClientOAuth2AuthorizationFailureHandler(
(clientRegistrationId, principal, attributes) -> {
HttpServletRequest request = (HttpServletRequest) attributes
.get(HttpServletRequest.class.getName());
HttpServletResponse response = (HttpServletResponse) attributes
.get(HttpServletResponse.class.getName());
authorizedClientRepository.removeAuthorizedClient(clientRegistrationId, principal, request,
response);
});
}
/**
* Provides an {@link OAuth2AuthorizationFailureHandler} that handles authentication
* and authorization failures when communicating to the OAuth 2.0 Resource Server
* using a {@link OAuth2AuthorizedClientService}.
*
* <p>
* When this method is used, authentication (HTTP 401) and authorization (HTTP 403)
* failures returned from an OAuth 2.0 Resource Server will be forwarded to a
* {@link RemoveAuthorizedClientOAuth2AuthorizationFailureHandler}, which will
* potentially remove the {@link OAuth2AuthorizedClient} from the given
* {@link OAuth2AuthorizedClientService}, depending on the OAuth 2.0 error code
* returned. Authentication failures returned from an OAuth 2.0 Resource Server
* typically indicate that the token is invalid, and should not be used in future
* requests. Removing the authorized client from the repository will ensure that the
* existing token will not be sent for future requests to the Resource Server, and a
* new token is retrieved from the Authorization Server and used for future requests
* to the Resource Server.
* @param authorizedClientService the service used to manage authorized clients
* @see #setAuthorizationFailureHandler(OAuth2AuthorizationFailureHandler)
*/
public static OAuth2AuthorizationFailureHandler authorizationFailureHandler(
OAuth2AuthorizedClientService authorizedClientService) {
Assert.notNull(authorizedClientService, "authorizedClientService cannot be null");
return new RemoveAuthorizedClientOAuth2AuthorizationFailureHandler(
(clientRegistrationId, principal, attributes) -> authorizedClientService
.removeAuthorizedClient(clientRegistrationId, principal.getName()));
}
/**
* Sets the {@link SecurityContextHolderStrategy} to use. The default action is to use
* the {@link SecurityContextHolderStrategy} stored in {@link SecurityContextHolder}.
* @param securityContextHolderStrategy the {@link SecurityContextHolderStrategy} to
* use
*/
public void setSecurityContextHolderStrategy(SecurityContextHolderStrategy securityContextHolderStrategy) {
Assert.notNull(securityContextHolderStrategy, "securityContextHolderStrategy cannot be null");
this.securityContextHolderStrategy = securityContextHolderStrategy;
}
@Override
public ClientHttpResponse intercept(HttpRequest request, byte[] body, ClientHttpRequestExecution execution)
throws IOException {
Authentication principal = this.securityContextHolderStrategy.getContext().getAuthentication();
if (principal == null) {
principal = ANONYMOUS_AUTHENTICATION;
}
authorizeClient(request, principal);
try {
ClientHttpResponse response = execution.execute(request, body);
handleAuthorizationFailure(request, principal, response.getHeaders(), response.getStatusCode());
return response;
}
catch (RestClientResponseException ex) {
handleAuthorizationFailure(request, principal, ex.getResponseHeaders(), ex.getStatusCode());
throw ex;
}
catch (OAuth2AuthorizationException ex) {
handleAuthorizationFailure(ex, principal);
throw ex;
}
}
private void authorizeClient(HttpRequest request, Authentication principal) {
String clientRegistrationId = this.clientRegistrationIdResolver.resolve(request);
if (clientRegistrationId == null) {
return;
}
OAuth2AuthorizeRequest authorizeRequest = OAuth2AuthorizeRequest.withClientRegistrationId(clientRegistrationId)
.principal(principal)
.build();
OAuth2AuthorizedClient authorizedClient = this.authorizedClientManager.authorize(authorizeRequest);
if (authorizedClient != null) {
request.getHeaders().setBearerAuth(authorizedClient.getAccessToken().getTokenValue());
}
}
private void handleAuthorizationFailure(HttpRequest request, Authentication principal, HttpHeaders headers,
HttpStatusCode httpStatus) {
OAuth2Error error = resolveOAuth2ErrorIfPossible(headers, httpStatus);
if (error == null) {
return;
}
String clientRegistrationId = this.clientRegistrationIdResolver.resolve(request);
if (clientRegistrationId == null) {
return;
}
ClientAuthorizationException authorizationException = new ClientAuthorizationException(error,
clientRegistrationId);
handleAuthorizationFailure(authorizationException, principal);
}
private static OAuth2Error resolveOAuth2ErrorIfPossible(HttpHeaders headers, HttpStatusCode httpStatus) {
String wwwAuthenticateHeader = headers.getFirst(HttpHeaders.WWW_AUTHENTICATE);
if (wwwAuthenticateHeader != null) {
Map<String, String> parameters = parseWwwAuthenticateHeader(wwwAuthenticateHeader);
if (parameters.containsKey(OAuth2ParameterNames.ERROR)) {
return new OAuth2Error(parameters.get(OAuth2ParameterNames.ERROR),
parameters.get(OAuth2ParameterNames.ERROR_DESCRIPTION),
parameters.get(OAuth2ParameterNames.ERROR_URI));
}
}
String errorCode = OAUTH2_ERROR_CODES.get(httpStatus);
if (errorCode != null) {
return new OAuth2Error(errorCode, null, "https://tools.ietf.org/html/rfc6750#section-3.1");
}
return null;
}
private static Map<String, String> parseWwwAuthenticateHeader(String wwwAuthenticateHeader) {
if (!StringUtils.hasLength(wwwAuthenticateHeader)
|| !StringUtils.startsWithIgnoreCase(wwwAuthenticateHeader, "bearer")) {
return Map.of();
}
String headerValue = wwwAuthenticateHeader.substring("bearer".length()).stripLeading();
Map<String, String> parameters = new HashMap<>();
for (String kvPair : StringUtils.delimitedListToStringArray(headerValue, ",")) {
String[] kv = StringUtils.split(kvPair, "=");
if (kv == null || kv.length <= 1) {
continue;
}
parameters.put(kv[0].trim(), kv[1].trim().replace("\"", ""));
}
return parameters;
}
private void handleAuthorizationFailure(OAuth2AuthorizationException authorizationException,
Authentication principal) {
ServletRequestAttributes requestAttributes = (ServletRequestAttributes) RequestContextHolder
.getRequestAttributes();
Map<String, Object> attributes = new HashMap<>();
if (requestAttributes != null) {
attributes.put(HttpServletRequest.class.getName(), requestAttributes.getRequest());
if (requestAttributes.getResponse() != null) {
attributes.put(HttpServletResponse.class.getName(), requestAttributes.getResponse());
}
}
this.authorizationFailureHandler.onAuthorizationFailure(authorizationException, principal, attributes);
}
/**
* A strategy for resolving a {@code clientRegistrationId} from an intercepted
* request.
*/
@FunctionalInterface
public interface ClientRegistrationIdResolver {
/**
* Resolve the {@code clientRegistrationId} from the current request, which is
* used to obtain an {@link OAuth2AuthorizedClient}.
* @param request the intercepted request, containing HTTP method, URI, headers,
* and request attributes
* @return the {@code clientRegistrationId} to be used for resolving an
* {@link OAuth2AuthorizedClient}.
*/
@Nullable
String resolve(HttpRequest request);
}
}

60
oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/client/RequestAttributeClientRegistrationIdResolver.java
Unescape View File

@ -0,0 +1,60 @@
/*
* Copyright 2002-2024 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.oauth2.client.web.client;
import java.util.Map;
import java.util.function.Consumer;
import org.springframework.http.HttpRequest;
import org.springframework.http.client.ClientHttpRequest;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.util.Assert;
/**
* A strategy for resolving a {@code clientRegistrationId} from an intercepted request
* using {@link ClientHttpRequest#getAttributes() attributes}.
*
* @author Steve Riesenberg
* @see OAuth2ClientHttpRequestInterceptor
*/
public final class RequestAttributeClientRegistrationIdResolver
implements OAuth2ClientHttpRequestInterceptor.ClientRegistrationIdResolver {
private static final String CLIENT_REGISTRATION_ID_ATTR_NAME = RequestAttributeClientRegistrationIdResolver.class
.getName()
.concat(".clientRegistrationId");
@Override
public String resolve(HttpRequest request) {
return (String) request.getAttributes().get(CLIENT_REGISTRATION_ID_ATTR_NAME);
}
/**
* Modifies the {@link ClientHttpRequest#getAttributes() attributes} to include the
* {@link ClientRegistration#getRegistrationId() clientRegistrationId} to be used to
* look up the {@link OAuth2AuthorizedClient}.
* @param clientRegistrationId the {@link ClientRegistration#getRegistrationId()
* clientRegistrationId} to be used to look up the {@link OAuth2AuthorizedClient}
* @return the {@link Consumer} to populate the attributes
*/
public static Consumer<Map<String, Object>> clientRegistrationId(String clientRegistrationId) {
Assert.hasText(clientRegistrationId, "clientRegistrationId cannot be empty");
return (attributes) -> attributes.put(CLIENT_REGISTRATION_ID_ATTR_NAME, clientRegistrationId);
}
}

725
oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/function/client/OAuth2ClientHttpRequestInterceptorTests.java
Unescape View File

@ -0,0 +1,725 @@
/*
* Copyright 2002-2024 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.oauth2.client.web.function.client;
import java.util.List;
import java.util.Map;
import java.util.function.Consumer;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith;
import org.mockito.ArgumentCaptor;
import org.mockito.Captor;
import org.mockito.Mock;
import org.mockito.junit.jupiter.MockitoExtension;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpRequest;
import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.context.SecurityContextHolderStrategy;
import org.springframework.security.core.context.SecurityContextImpl;
import org.springframework.security.oauth2.client.ClientAuthorizationException;
import org.springframework.security.oauth2.client.OAuth2AuthorizationFailureHandler;
import org.springframework.security.oauth2.client.OAuth2AuthorizeRequest;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClientManager;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClientService;
import org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.registration.TestClientRegistrations;
import org.springframework.security.oauth2.client.web.OAuth2AuthorizedClientRepository;
import org.springframework.security.oauth2.client.web.client.OAuth2ClientHttpRequestInterceptor;
import org.springframework.security.oauth2.client.web.client.RequestAttributeClientRegistrationIdResolver;
import org.springframework.security.oauth2.core.OAuth2AccessToken;
import org.springframework.security.oauth2.core.OAuth2AuthorizationException;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
import org.springframework.security.oauth2.core.TestOAuth2AccessTokens;
import org.springframework.security.oauth2.core.oidc.StandardClaimNames;
import org.springframework.security.oauth2.core.user.DefaultOAuth2User;
import org.springframework.security.oauth2.core.user.OAuth2User;
import org.springframework.test.web.client.MockRestServiceServer;
import org.springframework.test.web.client.RequestMatcher;
import org.springframework.test.web.client.ResponseCreator;
import org.springframework.web.client.HttpClientErrorException;
import org.springframework.web.client.HttpServerErrorException;
import org.springframework.web.client.RestClient;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
import static org.assertj.core.api.Assertions.entry;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.BDDMockito.given;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.verifyNoInteractions;
import static org.mockito.Mockito.verifyNoMoreInteractions;
import static org.springframework.test.web.client.match.MockRestRequestMatchers.header;
import static org.springframework.test.web.client.match.MockRestRequestMatchers.headerDoesNotExist;
import static org.springframework.test.web.client.match.MockRestRequestMatchers.requestTo;
import static org.springframework.test.web.client.response.MockRestResponseCreators.withStatus;
import static org.springframework.test.web.client.response.MockRestResponseCreators.withSuccess;
/**
* Tests for {@link OAuth2ClientHttpRequestInterceptor}.
*
* @author Steve Riesenberg
*/
@ExtendWith(MockitoExtension.class)
public class OAuth2ClientHttpRequestInterceptorTests {
private static final String REQUEST_URI = "/resources";
private static final String ERROR_DESCRIPTION = "The request requires higher privileges than provided by the access token.";
private static final String ERROR_URI = "https://tools.ietf.org/html/rfc6750#section-3.1";
@Mock
private OAuth2AuthorizedClientManager authorizedClientManager;
@Mock
private OAuth2AuthorizationFailureHandler authorizationFailureHandler;
@Mock
private OAuth2AuthorizedClientRepository authorizedClientRepository;
@Mock
private SecurityContextHolderStrategy securityContextHolderStrategy;
@Mock
private OAuth2AuthorizedClientService authorizedClientService;
@Mock
private OAuth2ClientHttpRequestInterceptor.ClientRegistrationIdResolver clientRegistrationIdResolver;
@Captor
private ArgumentCaptor<OAuth2AuthorizeRequest> authorizeRequestCaptor;
@Captor
private ArgumentCaptor<OAuth2AuthorizationException> authorizationExceptionCaptor;
@Captor
private ArgumentCaptor<Authentication> authenticationCaptor;
@Captor
private ArgumentCaptor<Map<String, Object>> attributesCaptor;
private ClientRegistration clientRegistration;
private OAuth2AuthorizedClient authorizedClient;
private OAuth2AuthenticationToken principal;
private OAuth2ClientHttpRequestInterceptor requestInterceptor;
private MockRestServiceServer server;
private RestClient restClient;
@BeforeEach
public void setUp() {
this.clientRegistration = TestClientRegistrations.clientRegistration().build();
OAuth2AccessToken accessToken = TestOAuth2AccessTokens.scopes("read", "write");
this.authorizedClient = new OAuth2AuthorizedClient(this.clientRegistration, "user", accessToken);
List<GrantedAuthority> authorities = AuthorityUtils.createAuthorityList("OAUTH2_USER");
Map<String, Object> attributes = Map.of(StandardClaimNames.SUB, "user");
OAuth2User user = new DefaultOAuth2User(authorities, attributes, StandardClaimNames.SUB);
this.principal = new OAuth2AuthenticationToken(user, authorities, "login-client");
this.requestInterceptor = new OAuth2ClientHttpRequestInterceptor(this.authorizedClientManager);
}
@AfterEach
public void tearDown() {
SecurityContextHolder.clearContext();
RequestContextHolder.resetRequestAttributes();
}
@Test
public void constructorWhenAuthorizedClientManagerIsNullThenThrowsIllegalArgumentException() {
assertThatIllegalArgumentException().isThrownBy(() -> new OAuth2ClientHttpRequestInterceptor(null))
.withMessage("authorizedClientManager cannot be null");
}
@Test
public void constructorWhenClientRegistrationIdResolverIsNullThenThrowsIllegalArgumentException() {
assertThatIllegalArgumentException()
.isThrownBy(() -> new OAuth2ClientHttpRequestInterceptor(this.authorizedClientManager, null))
.withMessage("clientRegistrationIdResolver cannot be null");
}
@Test
public void setAuthorizationFailureHandlerWhenNullThenThrowsIllegalArgumentException() {
assertThatIllegalArgumentException()
.isThrownBy(() -> this.requestInterceptor.setAuthorizationFailureHandler(null))
.withMessage("authorizationFailureHandler cannot be null");
}
@Test
public void authorizationFailureHandlerWhenAuthorizedClientRepositoryIsNullThenThrowsIllegalArgumentException() {
assertThatIllegalArgumentException()
.isThrownBy(() -> OAuth2ClientHttpRequestInterceptor
.authorizationFailureHandler((OAuth2AuthorizedClientRepository) null))
.withMessage("authorizedClientRepository cannot be null");
}
@Test
public void authorizationFailureHandlerWhenAuthorizedClientServiceIsNullThenThrowsIllegalArgumentException() {
assertThatIllegalArgumentException()
.isThrownBy(() -> OAuth2ClientHttpRequestInterceptor
.authorizationFailureHandler((OAuth2AuthorizedClientService) null))
.withMessage("authorizedClientService cannot be null");
}
@Test
public void setSecurityContextHolderStrategyWhenNullThenThrowsIllegalArgumentException() {
assertThatIllegalArgumentException()
.isThrownBy(() -> this.requestInterceptor.setSecurityContextHolderStrategy(null))
.withMessage("securityContextHolderStrategy cannot be null");
}
@Test
public void interceptWhenAnonymousThenAuthorizationHeaderNotSet() {
this.requestInterceptor.setAuthorizationFailureHandler(this.authorizationFailureHandler);
bindToRestClient(withRequestInterceptor());
this.server.expect(requestTo(REQUEST_URI))
.andExpect(headerDoesNotExist(HttpHeaders.AUTHORIZATION))
.andRespond(withApplicationJson());
performRequest(withDefaults());
this.server.verify();
verifyNoInteractions(this.authorizedClientManager, this.authorizationFailureHandler);
}
@Test
public void interceptWhenAnonymousAndAuthorizedThenAuthorizationHeaderSet() {
this.requestInterceptor.setAuthorizationFailureHandler(this.authorizationFailureHandler);
given(this.authorizedClientManager.authorize(any(OAuth2AuthorizeRequest.class)))
.willReturn(this.authorizedClient);
bindToRestClient(withRequestInterceptor());
this.server.expect(requestTo(REQUEST_URI))
.andExpect(hasAuthorizationHeader(this.authorizedClient.getAccessToken()))
.andRespond(withApplicationJson());
performRequest(withClientRegistrationId());
this.server.verify();
verify(this.authorizedClientManager).authorize(this.authorizeRequestCaptor.capture());
verifyNoMoreInteractions(this.authorizedClientManager);
verifyNoInteractions(this.authorizationFailureHandler);
OAuth2AuthorizeRequest authorizeRequest = this.authorizeRequestCaptor.getValue();
assertThat(authorizeRequest.getClientRegistrationId()).isEqualTo(this.clientRegistration.getRegistrationId());
assertThat(authorizeRequest.getPrincipal()).isInstanceOf(AnonymousAuthenticationToken.class);
}
@Test
public void interceptWhenAnonymousAndNotAuthorizedThenAuthorizationHeaderNotSet() {
this.requestInterceptor.setAuthorizationFailureHandler(this.authorizationFailureHandler);
given(this.authorizedClientManager.authorize(any(OAuth2AuthorizeRequest.class))).willReturn(null);
bindToRestClient(withRequestInterceptor());
this.server.expect(requestTo(REQUEST_URI))
.andExpect(headerDoesNotExist(HttpHeaders.AUTHORIZATION))
.andRespond(withApplicationJson());
performRequest(withClientRegistrationId());
this.server.verify();
verify(this.authorizedClientManager).authorize(this.authorizeRequestCaptor.capture());
verifyNoMoreInteractions(this.authorizedClientManager);
verifyNoInteractions(this.authorizationFailureHandler);
OAuth2AuthorizeRequest authorizeRequest = this.authorizeRequestCaptor.getValue();
assertThat(authorizeRequest.getClientRegistrationId()).isEqualTo(this.clientRegistration.getRegistrationId());
assertThat(authorizeRequest.getPrincipal()).isInstanceOf(AnonymousAuthenticationToken.class);
}
@Test
public void interceptWhenAuthenticatedAndAuthorizedThenAuthorizationHeaderSet() {
this.requestInterceptor.setAuthorizationFailureHandler(this.authorizationFailureHandler);
given(this.authorizedClientManager.authorize(any(OAuth2AuthorizeRequest.class)))
.willReturn(this.authorizedClient);
bindToRestClient(withRequestInterceptor());
this.server.expect(requestTo(REQUEST_URI))
.andExpect(hasAuthorizationHeader(this.authorizedClient.getAccessToken()))
.andRespond(withApplicationJson());
SecurityContext securityContext = new SecurityContextImpl();
securityContext.setAuthentication(this.principal);
SecurityContextHolder.setContext(securityContext);
performRequest(withClientRegistrationId());
this.server.verify();
verify(this.authorizedClientManager).authorize(this.authorizeRequestCaptor.capture());
verifyNoMoreInteractions(this.authorizedClientManager);
verifyNoInteractions(this.authorizationFailureHandler);
OAuth2AuthorizeRequest authorizeRequest = this.authorizeRequestCaptor.getValue();
assertThat(authorizeRequest.getClientRegistrationId()).isEqualTo(this.clientRegistration.getRegistrationId());
assertThat(authorizeRequest.getPrincipal()).isEqualTo(this.principal);
}
@Test
public void interceptWhenAuthenticatedAndNotAuthorizedThenAuthorizationHeaderNotSet() {
this.requestInterceptor.setAuthorizationFailureHandler(this.authorizationFailureHandler);
given(this.authorizedClientManager.authorize(any(OAuth2AuthorizeRequest.class))).willReturn(null);
bindToRestClient(withRequestInterceptor());
this.server.expect(requestTo(REQUEST_URI))
.andExpect(headerDoesNotExist(HttpHeaders.AUTHORIZATION))
.andRespond(withApplicationJson());
SecurityContext securityContext = new SecurityContextImpl();
securityContext.setAuthentication(this.principal);
SecurityContextHolder.setContext(securityContext);
performRequest(withClientRegistrationId());
this.server.verify();
verify(this.authorizedClientManager).authorize(this.authorizeRequestCaptor.capture());
verifyNoMoreInteractions(this.authorizedClientManager);
verifyNoInteractions(this.authorizationFailureHandler);
OAuth2AuthorizeRequest authorizeRequest = this.authorizeRequestCaptor.getValue();
assertThat(authorizeRequest.getClientRegistrationId()).isEqualTo(this.clientRegistration.getRegistrationId());
assertThat(authorizeRequest.getPrincipal()).isInstanceOf(OAuth2AuthenticationToken.class);
}
@Test
public void interceptWhenAnonymousAndUnauthorizedThenDoesNotCallAuthorizationFailureHandler() {
this.requestInterceptor.setAuthorizationFailureHandler(this.authorizationFailureHandler);
bindToRestClient(withRequestInterceptor());
this.server.expect(requestTo(REQUEST_URI))
.andExpect(headerDoesNotExist(HttpHeaders.AUTHORIZATION))
.andRespond(withWwwAuthenticateHeader(HttpStatus.UNAUTHORIZED));
assertThatExceptionOfType(HttpClientErrorException.class).isThrownBy(() -> performRequest(withDefaults()))
.satisfies((ex) -> assertThat(ex.getStatusCode()).isEqualTo(HttpStatus.UNAUTHORIZED));
this.server.verify();
verifyNoInteractions(this.authorizedClientManager, this.authorizationFailureHandler);
}
@Test
public void interceptWhenAnonymousAndOAuth2ErrorInWwwAuthenticateHeaderThenCallsAuthorizationFailureHandlerWithInsufficientScopeError() {
this.requestInterceptor.setAuthorizationFailureHandler(this.authorizationFailureHandler);
given(this.authorizedClientManager.authorize(any(OAuth2AuthorizeRequest.class)))
.willReturn(this.authorizedClient);
bindToRestClient(withRequestInterceptor());
this.server.expect(requestTo(REQUEST_URI))
.andExpect(hasAuthorizationHeader(this.authorizedClient.getAccessToken()))
.andRespond(withWwwAuthenticateHeader(HttpStatus.OK));
MockHttpServletRequest request = new MockHttpServletRequest();
MockHttpServletResponse response = new MockHttpServletResponse();
RequestContextHolder.setRequestAttributes(new ServletRequestAttributes(request, response));
performRequest(withClientRegistrationId());
this.server.verify();
verify(this.authorizedClientManager).authorize(any(OAuth2AuthorizeRequest.class));
verify(this.authorizationFailureHandler).onAuthorizationFailure(this.authorizationExceptionCaptor.capture(),
this.authenticationCaptor.capture(), this.attributesCaptor.capture());
verifyNoMoreInteractions(this.authorizedClientManager, this.authorizationFailureHandler);
assertThat(this.authorizationExceptionCaptor.getValue()).isInstanceOfSatisfying(
ClientAuthorizationException.class,
hasOAuth2Error(OAuth2ErrorCodes.INSUFFICIENT_SCOPE, ERROR_DESCRIPTION));
assertThat(this.authenticationCaptor.getValue()).isInstanceOf(AnonymousAuthenticationToken.class);
assertThat(this.attributesCaptor.getValue()).containsExactly(entry(HttpServletRequest.class.getName(), request),
entry(HttpServletResponse.class.getName(), response));
}
@Test
public void interceptWhenAuthenticatedAndOAuth2ErrorInWwwAuthenticateHeaderThenCallsAuthorizationFailureHandlerWithInsufficientScopeError() {
this.requestInterceptor.setAuthorizationFailureHandler(this.authorizationFailureHandler);
given(this.authorizedClientManager.authorize(any(OAuth2AuthorizeRequest.class)))
.willReturn(this.authorizedClient);
bindToRestClient(withRequestInterceptor());
this.server.expect(requestTo(REQUEST_URI))
.andExpect(hasAuthorizationHeader(this.authorizedClient.getAccessToken()))
.andRespond(withWwwAuthenticateHeader(HttpStatus.OK));
SecurityContext securityContext = new SecurityContextImpl();
securityContext.setAuthentication(this.principal);
SecurityContextHolder.setContext(securityContext);
MockHttpServletRequest request = new MockHttpServletRequest();
MockHttpServletResponse response = new MockHttpServletResponse();
RequestContextHolder.setRequestAttributes(new ServletRequestAttributes(request, response));
performRequest(withClientRegistrationId());
this.server.verify();
verify(this.authorizedClientManager).authorize(any(OAuth2AuthorizeRequest.class));
verify(this.authorizationFailureHandler).onAuthorizationFailure(this.authorizationExceptionCaptor.capture(),
this.authenticationCaptor.capture(), this.attributesCaptor.capture());
verifyNoMoreInteractions(this.authorizedClientManager, this.authorizationFailureHandler);
assertThat(this.authorizationExceptionCaptor.getValue()).isInstanceOfSatisfying(
ClientAuthorizationException.class,
hasOAuth2Error(OAuth2ErrorCodes.INSUFFICIENT_SCOPE, ERROR_DESCRIPTION));
assertThat(this.authenticationCaptor.getValue()).isEqualTo(this.principal);
assertThat(this.attributesCaptor.getValue()).containsExactly(entry(HttpServletRequest.class.getName(), request),
entry(HttpServletResponse.class.getName(), response));
}
@Test
public void interceptWhenUnauthorizedAndOAuth2ErrorInWwwAuthenticateHeaderThenCallsAuthorizationFailureHandlerWithInsufficientScopeError() {
this.requestInterceptor.setAuthorizationFailureHandler(this.authorizationFailureHandler);
given(this.authorizedClientManager.authorize(any(OAuth2AuthorizeRequest.class)))
.willReturn(this.authorizedClient);
bindToRestClient(withRequestInterceptor());
this.server.expect(requestTo(REQUEST_URI))
.andExpect(hasAuthorizationHeader(this.authorizedClient.getAccessToken()))
.andRespond(withWwwAuthenticateHeader(HttpStatus.UNAUTHORIZED));
SecurityContext securityContext = new SecurityContextImpl();
securityContext.setAuthentication(this.principal);
SecurityContextHolder.setContext(securityContext);
MockHttpServletRequest request = new MockHttpServletRequest();
MockHttpServletResponse response = new MockHttpServletResponse();
RequestContextHolder.setRequestAttributes(new ServletRequestAttributes(request, response));
assertThatExceptionOfType(HttpClientErrorException.class)
.isThrownBy(() -> performRequest(withClientRegistrationId()))
.satisfies((ex) -> assertThat(ex.getStatusCode()).isEqualTo(HttpStatus.UNAUTHORIZED));
this.server.verify();
verify(this.authorizedClientManager).authorize(any(OAuth2AuthorizeRequest.class));
verify(this.authorizationFailureHandler).onAuthorizationFailure(this.authorizationExceptionCaptor.capture(),
this.authenticationCaptor.capture(), this.attributesCaptor.capture());
verifyNoMoreInteractions(this.authorizedClientManager, this.authorizationFailureHandler);
assertThat(this.authorizationExceptionCaptor.getValue()).isInstanceOfSatisfying(
ClientAuthorizationException.class,
hasOAuth2Error(OAuth2ErrorCodes.INSUFFICIENT_SCOPE, ERROR_DESCRIPTION));
assertThat(this.authenticationCaptor.getValue()).isEqualTo(this.principal);
assertThat(this.attributesCaptor.getValue()).containsExactly(entry(HttpServletRequest.class.getName(), request),
entry(HttpServletResponse.class.getName(), response));
}
@Test
public void interceptWhenForbiddenAndOAuth2ErrorInWwwAuthenticateHeaderThenCallsAuthorizationFailureHandlerWithInsufficientScopeError() {
this.requestInterceptor.setAuthorizationFailureHandler(this.authorizationFailureHandler);
given(this.authorizedClientManager.authorize(any(OAuth2AuthorizeRequest.class)))
.willReturn(this.authorizedClient);
bindToRestClient(withRequestInterceptor());
this.server.expect(requestTo(REQUEST_URI))
.andExpect(hasAuthorizationHeader(this.authorizedClient.getAccessToken()))
.andRespond(withWwwAuthenticateHeader(HttpStatus.FORBIDDEN));
SecurityContext securityContext = new SecurityContextImpl();
securityContext.setAuthentication(this.principal);
SecurityContextHolder.setContext(securityContext);
MockHttpServletRequest request = new MockHttpServletRequest();
MockHttpServletResponse response = new MockHttpServletResponse();
RequestContextHolder.setRequestAttributes(new ServletRequestAttributes(request, response));
assertThatExceptionOfType(HttpClientErrorException.class)
.isThrownBy(() -> performRequest(withClientRegistrationId()))
.satisfies((ex) -> assertThat(ex.getStatusCode()).isEqualTo(HttpStatus.FORBIDDEN));
this.server.verify();
verify(this.authorizedClientManager).authorize(any(OAuth2AuthorizeRequest.class));
verify(this.authorizationFailureHandler).onAuthorizationFailure(this.authorizationExceptionCaptor.capture(),
this.authenticationCaptor.capture(), this.attributesCaptor.capture());
verifyNoMoreInteractions(this.authorizedClientManager, this.authorizationFailureHandler);
assertThat(this.authorizationExceptionCaptor.getValue()).isInstanceOfSatisfying(
ClientAuthorizationException.class,
hasOAuth2Error(OAuth2ErrorCodes.INSUFFICIENT_SCOPE, ERROR_DESCRIPTION));
assertThat(this.authenticationCaptor.getValue()).isEqualTo(this.principal);
assertThat(this.attributesCaptor.getValue()).containsExactly(entry(HttpServletRequest.class.getName(), request),
entry(HttpServletResponse.class.getName(), response));
}
@Test
public void interceptWhenUnauthorizedThenCallsAuthorizationFailureHandlerWithInvalidTokenError() {
this.requestInterceptor.setAuthorizationFailureHandler(this.authorizationFailureHandler);
given(this.authorizedClientManager.authorize(any(OAuth2AuthorizeRequest.class)))
.willReturn(this.authorizedClient);
bindToRestClient(withRequestInterceptor());
this.server.expect(requestTo(REQUEST_URI))
.andExpect(hasAuthorizationHeader(this.authorizedClient.getAccessToken()))
.andRespond(withStatus(HttpStatus.UNAUTHORIZED));
SecurityContext securityContext = new SecurityContextImpl();
securityContext.setAuthentication(this.principal);
SecurityContextHolder.setContext(securityContext);
MockHttpServletRequest request = new MockHttpServletRequest();
MockHttpServletResponse response = new MockHttpServletResponse();
RequestContextHolder.setRequestAttributes(new ServletRequestAttributes(request, response));
assertThatExceptionOfType(HttpClientErrorException.class)
.isThrownBy(() -> performRequest(withClientRegistrationId()))
.satisfies((ex) -> assertThat(ex.getStatusCode()).isEqualTo(HttpStatus.UNAUTHORIZED));
this.server.verify();
verify(this.authorizedClientManager).authorize(any(OAuth2AuthorizeRequest.class));
verify(this.authorizationFailureHandler).onAuthorizationFailure(this.authorizationExceptionCaptor.capture(),
this.authenticationCaptor.capture(), this.attributesCaptor.capture());
verifyNoMoreInteractions(this.authorizedClientManager, this.authorizationFailureHandler);
assertThat(this.authorizationExceptionCaptor.getValue()).isInstanceOfSatisfying(
ClientAuthorizationException.class, hasOAuth2Error(OAuth2ErrorCodes.INVALID_TOKEN, null));
assertThat(this.authenticationCaptor.getValue()).isEqualTo(this.principal);
assertThat(this.attributesCaptor.getValue()).containsExactly(entry(HttpServletRequest.class.getName(), request),
entry(HttpServletResponse.class.getName(), response));
}
@Test
public void interceptWhenForbiddenThenCallsAuthorizationFailureHandlerWithInsufficientScopeError() {
this.requestInterceptor.setAuthorizationFailureHandler(this.authorizationFailureHandler);
given(this.authorizedClientManager.authorize(any(OAuth2AuthorizeRequest.class)))
.willReturn(this.authorizedClient);
bindToRestClient(withRequestInterceptor());
this.server.expect(requestTo(REQUEST_URI))
.andExpect(hasAuthorizationHeader(this.authorizedClient.getAccessToken()))
.andRespond(withStatus(HttpStatus.FORBIDDEN));
SecurityContext securityContext = new SecurityContextImpl();
securityContext.setAuthentication(this.principal);
SecurityContextHolder.setContext(securityContext);
MockHttpServletRequest request = new MockHttpServletRequest();
MockHttpServletResponse response = new MockHttpServletResponse();
RequestContextHolder.setRequestAttributes(new ServletRequestAttributes(request, response));
assertThatExceptionOfType(HttpClientErrorException.class)
.isThrownBy(() -> performRequest(withClientRegistrationId()))
.satisfies((ex) -> assertThat(ex.getStatusCode()).isEqualTo(HttpStatus.FORBIDDEN));
this.server.verify();
verify(this.authorizedClientManager).authorize(any(OAuth2AuthorizeRequest.class));
verify(this.authorizationFailureHandler).onAuthorizationFailure(this.authorizationExceptionCaptor.capture(),
this.authenticationCaptor.capture(), this.attributesCaptor.capture());
verifyNoMoreInteractions(this.authorizedClientManager, this.authorizationFailureHandler);
assertThat(this.authorizationExceptionCaptor.getValue()).isInstanceOfSatisfying(
ClientAuthorizationException.class, hasOAuth2Error(OAuth2ErrorCodes.INSUFFICIENT_SCOPE, null));
assertThat(this.authenticationCaptor.getValue()).isEqualTo(this.principal);
assertThat(this.attributesCaptor.getValue()).containsExactly(entry(HttpServletRequest.class.getName(), request),
entry(HttpServletResponse.class.getName(), response));
}
@Test
public void interceptWhenInternalServerErrorThenDoesNotCallAuthorizationFailureHandler() {
this.requestInterceptor.setAuthorizationFailureHandler(this.authorizationFailureHandler);
given(this.authorizedClientManager.authorize(any(OAuth2AuthorizeRequest.class)))
.willReturn(this.authorizedClient);
bindToRestClient(withRequestInterceptor());
this.server.expect(requestTo(REQUEST_URI))
.andExpect(hasAuthorizationHeader(this.authorizedClient.getAccessToken()))
.andRespond(withStatus(HttpStatus.INTERNAL_SERVER_ERROR));
assertThatExceptionOfType(HttpServerErrorException.class)
.isThrownBy(() -> performRequest(withClientRegistrationId()))
.satisfies((ex) -> assertThat(ex.getStatusCode()).isEqualTo(HttpStatus.INTERNAL_SERVER_ERROR));
this.server.verify();
verify(this.authorizedClientManager).authorize(any(OAuth2AuthorizeRequest.class));
verifyNoMoreInteractions(this.authorizedClientManager);
verifyNoInteractions(this.authorizationFailureHandler);
}
@Test
public void interceptWhenAuthorizationExceptionThenCallsAuthorizationFailureHandlerWithException() {
this.requestInterceptor.setAuthorizationFailureHandler(this.authorizationFailureHandler);
given(this.authorizedClientManager.authorize(any(OAuth2AuthorizeRequest.class)))
.willReturn(this.authorizedClient);
bindToRestClient(withRequestInterceptor());
OAuth2AuthorizationException authorizationException = new OAuth2AuthorizationException(
new OAuth2Error(OAuth2ErrorCodes.INVALID_TOKEN));
this.server.expect(requestTo(REQUEST_URI))
.andExpect(hasAuthorizationHeader(this.authorizedClient.getAccessToken()))
.andRespond(withException(authorizationException));
SecurityContext securityContext = new SecurityContextImpl();
securityContext.setAuthentication(this.principal);
SecurityContextHolder.setContext(securityContext);
MockHttpServletRequest request = new MockHttpServletRequest();
MockHttpServletResponse response = new MockHttpServletResponse();
RequestContextHolder.setRequestAttributes(new ServletRequestAttributes(request, response));
assertThatExceptionOfType(OAuth2AuthorizationException.class)
.isThrownBy(() -> performRequest(withClientRegistrationId()))
.isEqualTo(authorizationException);
this.server.verify();
verify(this.authorizedClientManager).authorize(any(OAuth2AuthorizeRequest.class));
verify(this.authorizationFailureHandler).onAuthorizationFailure(this.authorizationExceptionCaptor.capture(),
this.authenticationCaptor.capture(), this.attributesCaptor.capture());
verifyNoMoreInteractions(this.authorizedClientManager, this.authorizationFailureHandler);
assertThat(this.authorizationExceptionCaptor.getValue()).isEqualTo(authorizationException);
assertThat(this.authenticationCaptor.getValue()).isEqualTo(this.principal);
assertThat(this.attributesCaptor.getValue()).containsExactly(entry(HttpServletRequest.class.getName(), request),
entry(HttpServletResponse.class.getName(), response));
}
@Test
public void interceptWhenUnauthorizedAndAuthorizationFailureHandlerSetWithAuthorizedClientRepositoryThenAuthorizedClientRemoved() {
this.requestInterceptor.setAuthorizationFailureHandler(
OAuth2ClientHttpRequestInterceptor.authorizationFailureHandler(this.authorizedClientRepository));
given(this.authorizedClientManager.authorize(any(OAuth2AuthorizeRequest.class)))
.willReturn(this.authorizedClient);
bindToRestClient(withRequestInterceptor());
this.server.expect(requestTo(REQUEST_URI))
.andExpect(hasAuthorizationHeader(this.authorizedClient.getAccessToken()))
.andRespond(withStatus(HttpStatus.UNAUTHORIZED));
SecurityContext securityContext = new SecurityContextImpl();
securityContext.setAuthentication(this.principal);
SecurityContextHolder.setContext(securityContext);
MockHttpServletRequest request = new MockHttpServletRequest();
MockHttpServletResponse response = new MockHttpServletResponse();
RequestContextHolder.setRequestAttributes(new ServletRequestAttributes(request, response));
assertThatExceptionOfType(HttpClientErrorException.class)
.isThrownBy(() -> performRequest(withClientRegistrationId()))
.satisfies((ex) -> assertThat(ex.getStatusCode()).isEqualTo(HttpStatus.UNAUTHORIZED));
this.server.verify();
verify(this.authorizedClientManager).authorize(any(OAuth2AuthorizeRequest.class));
verify(this.authorizedClientRepository).removeAuthorizedClient(this.clientRegistration.getRegistrationId(),
this.principal, request, response);
verifyNoMoreInteractions(this.authorizedClientManager, this.authorizedClientRepository);
}
@Test
public void interceptWhenUnauthorizedAndAuthorizationFailureHandlerSetWithAuthorizedClientServiceThenAuthorizedClientRemoved() {
this.requestInterceptor.setAuthorizationFailureHandler(
OAuth2ClientHttpRequestInterceptor.authorizationFailureHandler(this.authorizedClientService));
given(this.authorizedClientManager.authorize(any(OAuth2AuthorizeRequest.class)))
.willReturn(this.authorizedClient);
bindToRestClient(withRequestInterceptor());
this.server.expect(requestTo(REQUEST_URI))
.andExpect(hasAuthorizationHeader(this.authorizedClient.getAccessToken()))
.andRespond(withStatus(HttpStatus.UNAUTHORIZED));
SecurityContext securityContext = new SecurityContextImpl();
securityContext.setAuthentication(this.principal);
SecurityContextHolder.setContext(securityContext);
MockHttpServletRequest request = new MockHttpServletRequest();
MockHttpServletResponse response = new MockHttpServletResponse();
RequestContextHolder.setRequestAttributes(new ServletRequestAttributes(request, response));
assertThatExceptionOfType(HttpClientErrorException.class)
.isThrownBy(() -> performRequest(withClientRegistrationId()))
.satisfies((ex) -> assertThat(ex.getStatusCode()).isEqualTo(HttpStatus.UNAUTHORIZED));
this.server.verify();
verify(this.authorizedClientManager).authorize(any(OAuth2AuthorizeRequest.class));
verify(this.authorizedClientService).removeAuthorizedClient(this.clientRegistration.getRegistrationId(),
this.principal.getName());
verifyNoMoreInteractions(this.authorizedClientManager, this.authorizedClientService);
}
@Test
public void interceptWhenClientRegistrationIdResolverSetThenUsed() {
this.requestInterceptor = new OAuth2ClientHttpRequestInterceptor(this.authorizedClientManager,
this.clientRegistrationIdResolver);
this.requestInterceptor.setAuthorizationFailureHandler(this.authorizationFailureHandler);
given(this.authorizedClientManager.authorize(any(OAuth2AuthorizeRequest.class)))
.willReturn(this.authorizedClient);
String clientRegistrationId = "test-client";
given(this.clientRegistrationIdResolver.resolve(any(HttpRequest.class))).willReturn(clientRegistrationId);
bindToRestClient(withRequestInterceptor());
this.server.expect(requestTo(REQUEST_URI))
.andExpect(hasAuthorizationHeader(this.authorizedClient.getAccessToken()))
.andRespond(withApplicationJson());
SecurityContext securityContext = new SecurityContextImpl();
securityContext.setAuthentication(this.principal);
SecurityContextHolder.setContext(securityContext);
performRequest(withDefaults());
this.server.verify();
verify(this.authorizedClientManager).authorize(this.authorizeRequestCaptor.capture());
verify(this.clientRegistrationIdResolver).resolve(any(HttpRequest.class));
verifyNoMoreInteractions(this.clientRegistrationIdResolver, this.authorizedClientManager);
verifyNoInteractions(this.authorizationFailureHandler);
OAuth2AuthorizeRequest authorizeRequest = this.authorizeRequestCaptor.getValue();
assertThat(authorizeRequest.getClientRegistrationId()).isEqualTo(clientRegistrationId);
assertThat(authorizeRequest.getPrincipal()).isEqualTo(this.principal);
}
@Test
public void interceptWhenCustomSecurityContextHolderStrategySetThenUsed() {
this.requestInterceptor.setSecurityContextHolderStrategy(this.securityContextHolderStrategy);
given(this.authorizedClientManager.authorize(any(OAuth2AuthorizeRequest.class)))
.willReturn(this.authorizedClient);
bindToRestClient(withRequestInterceptor());
this.server.expect(requestTo(REQUEST_URI))
.andExpect(hasAuthorizationHeader(this.authorizedClient.getAccessToken()))
.andRespond(withApplicationJson());
SecurityContext securityContext = new SecurityContextImpl();
securityContext.setAuthentication(this.principal);
given(this.securityContextHolderStrategy.getContext()).willReturn(securityContext);
performRequest(withClientRegistrationId());
this.server.verify();
verify(this.authorizedClientManager).authorize(this.authorizeRequestCaptor.capture());
verify(this.securityContextHolderStrategy).getContext();
verifyNoMoreInteractions(this.authorizedClientManager);
OAuth2AuthorizeRequest authorizeRequest = this.authorizeRequestCaptor.getValue();
assertThat(authorizeRequest.getClientRegistrationId()).isEqualTo(this.clientRegistration.getRegistrationId());
assertThat(authorizeRequest.getPrincipal()).isEqualTo(this.principal);
}
private void bindToRestClient(Consumer<RestClient.Builder> customizer) {
RestClient.Builder builder = RestClient.builder();
customizer.accept(builder);
this.server = MockRestServiceServer.bindTo(builder).build();
this.restClient = builder.build();
}
private Consumer<RestClient.Builder> withRequestInterceptor() {
return (builder) -> builder.requestInterceptor(this.requestInterceptor);
}
private static RequestMatcher hasAuthorizationHeader(OAuth2AccessToken accessToken) {
String tokenType = accessToken.getTokenType().getValue();
String tokenValue = accessToken.getTokenValue();
return header(HttpHeaders.AUTHORIZATION, "%s %s".formatted(tokenType, tokenValue));
}
private static ResponseCreator withApplicationJson() {
HttpHeaders headers = new HttpHeaders();
headers.setContentType(MediaType.APPLICATION_JSON);
return withSuccess().headers(headers).body("{}");
}
private static ResponseCreator withWwwAuthenticateHeader(HttpStatus httpStatus) {
String wwwAuthenticateHeader = "Bearer error=\"insufficient_scope\", "
+ "error_description=\"The request requires higher privileges than provided by the access token.\", "
+ "error_uri=\"https://tools.ietf.org/html/rfc6750#section-3.1\"";
HttpHeaders headers = new HttpHeaders();
headers.set(HttpHeaders.WWW_AUTHENTICATE, wwwAuthenticateHeader);
return withStatus(httpStatus).headers(headers);
}
private static ResponseCreator withException(OAuth2AuthorizationException ex) {
return (request) -> {
throw ex;
};
}
private void performRequest(Consumer<RestClient.RequestHeadersSpec<?>> customizer) {
RestClient.RequestHeadersSpec<?> spec = this.restClient.get().uri(REQUEST_URI);
customizer.accept(spec);
spec.retrieve().toBodilessEntity();
}
private static Consumer<RestClient.RequestHeadersSpec<?>> withDefaults() {
return (spec) -> {
};
}
private Consumer<RestClient.RequestHeadersSpec<?>> withClientRegistrationId() {
return (spec) -> spec.attributes(RequestAttributeClientRegistrationIdResolver
.clientRegistrationId(this.clientRegistration.getRegistrationId()));
}
private Consumer<ClientAuthorizationException> hasOAuth2Error(String errorCode, String errorDescription) {
return (ex) -> {
assertThat(ex.getClientRegistrationId()).isEqualTo(this.clientRegistration.getRegistrationId());
assertThat(ex.getError().getErrorCode()).isEqualTo(errorCode);
assertThat(ex.getError().getDescription()).isEqualTo(errorDescription);
assertThat(ex.getError().getUri()).isEqualTo(ERROR_URI);
assertThat(ex).hasNoCause();
assertThat(ex).hasMessageContaining(errorCode);
};
}
}
Write Preview
Loading…
Cancel
Save