From fc795a81d43c08b0e75570eb7da9004e2d9bd311 Mon Sep 17 00:00:00 2001 From: Joe Grandja <10884212+jgrandja@users.noreply.github.com> Date: Fri, 17 Oct 2025 15:49:37 -0400 Subject: [PATCH] PAR uses requested scopes on consent Issue https://github.com/spring-projects/spring-authorization-server/pull/2182 --- .../OAuth2AuthorizationCodeGrantTests.java | 116 +++++++++++++++++- ...tionCodeRequestAuthenticationProvider.java | 9 +- .../OAuth2AuthorizationEndpointFilter.java | 12 +- 3 files changed, 133 insertions(+), 4 deletions(-) diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2AuthorizationCodeGrantTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2AuthorizationCodeGrantTests.java index 1229ea8881..fc9ef1c7a2 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2AuthorizationCodeGrantTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2AuthorizationCodeGrantTests.java @@ -1071,6 +1071,94 @@ public class OAuth2AuthorizationCodeGrantTests { .isEqualTo(true); } + // gh-2182 + @Test + public void requestWhenPushedAuthorizationRequestAndRequiresConsentThenDisplaysConsentPage() throws Exception { + this.spring.register(AuthorizationServerConfigurationWithPushedAuthorizationRequests.class).autowire(); + + RegisteredClient registeredClient = TestRegisteredClients.registeredClient().scopes((scopes) -> { + scopes.clear(); + scopes.add("message.read"); + scopes.add("message.write"); + }).clientSettings(ClientSettings.builder().requireAuthorizationConsent(true).build()).build(); + this.registeredClientRepository.save(registeredClient); + + MvcResult mvcResult = this.mvc + .perform(post("/oauth2/par").params(getAuthorizationRequestParameters(registeredClient)) + .header(HttpHeaders.AUTHORIZATION, getAuthorizationHeader(registeredClient))) + .andExpect(header().string(HttpHeaders.CACHE_CONTROL, containsString("no-store"))) + .andExpect(header().string(HttpHeaders.PRAGMA, containsString("no-cache"))) + .andExpect(status().isCreated()) + .andExpect(jsonPath("$.request_uri").isNotEmpty()) + .andExpect(jsonPath("$.expires_in").isNotEmpty()) + .andReturn(); + + String requestUri = JsonPath.read(mvcResult.getResponse().getContentAsString(), "$.request_uri"); + + String consentPage = this.mvc + .perform(get(DEFAULT_AUTHORIZATION_ENDPOINT_URI) + .queryParam(OAuth2ParameterNames.CLIENT_ID, registeredClient.getClientId()) + .queryParam(OAuth2ParameterNames.REQUEST_URI, requestUri) + .with(user("user"))) + .andExpect(status().is2xxSuccessful()) + .andReturn() + .getResponse() + .getContentAsString(); + + assertThat(consentPage).contains("Consent required"); + assertThat(consentPage).contains(scopeCheckbox("message.read")); + assertThat(consentPage).contains(scopeCheckbox("message.write")); + } + + // gh-2182 + @Test + public void requestWhenPushedAuthorizationRequestAndCustomConsentPageConfiguredThenRedirect() throws Exception { + this.spring.register(AuthorizationServerConfigurationWithPushedAuthorizationRequestsAndCustomConsentPage.class) + .autowire(); + + RegisteredClient registeredClient = TestRegisteredClients.registeredClient().scopes((scopes) -> { + scopes.clear(); + scopes.add("message.read"); + scopes.add("message.write"); + }).clientSettings(ClientSettings.builder().requireAuthorizationConsent(true).build()).build(); + this.registeredClientRepository.save(registeredClient); + + MvcResult mvcResult = this.mvc + .perform(post("/oauth2/par").params(getAuthorizationRequestParameters(registeredClient)) + .header(HttpHeaders.AUTHORIZATION, getAuthorizationHeader(registeredClient))) + .andExpect(header().string(HttpHeaders.CACHE_CONTROL, containsString("no-store"))) + .andExpect(header().string(HttpHeaders.PRAGMA, containsString("no-cache"))) + .andExpect(status().isCreated()) + .andExpect(jsonPath("$.request_uri").isNotEmpty()) + .andExpect(jsonPath("$.expires_in").isNotEmpty()) + .andReturn(); + + String requestUri = JsonPath.read(mvcResult.getResponse().getContentAsString(), "$.request_uri"); + + mvcResult = this.mvc + .perform(get(DEFAULT_AUTHORIZATION_ENDPOINT_URI) + .queryParam(OAuth2ParameterNames.CLIENT_ID, registeredClient.getClientId()) + .queryParam(OAuth2ParameterNames.REQUEST_URI, requestUri) + .with(user("user"))) + .andExpect(status().is3xxRedirection()) + .andReturn(); + String redirectedUrl = mvcResult.getResponse().getRedirectedUrl(); + assertThat(redirectedUrl).matches("http://localhost/oauth2/consent\\?scope=.+&client_id=.+&state=.+"); + + String locationHeader = URLDecoder.decode(redirectedUrl, StandardCharsets.UTF_8.name()); + UriComponents uriComponents = UriComponentsBuilder.fromUriString(locationHeader).build(); + MultiValueMap redirectQueryParams = uriComponents.getQueryParams(); + + assertThat(uriComponents.getPath()).isEqualTo(consentPage); + assertThat(redirectQueryParams.getFirst(OAuth2ParameterNames.SCOPE)).isEqualTo("message.read message.write"); + assertThat(redirectQueryParams.getFirst(OAuth2ParameterNames.CLIENT_ID)) + .isEqualTo(registeredClient.getClientId()); + + String state = extractParameterFromRedirectUri(redirectedUrl, "state"); + OAuth2Authorization authorization = this.authorizationService.findByToken(state, STATE_TOKEN_TYPE); + assertThat(authorization).isNotNull(); + } + private static OAuth2Authorization createAuthorization(RegisteredClient registeredClient) { Map additionalParameters = new HashMap<>(); additionalParameters.put(PkceParameterNames.CODE_CHALLENGE, S256_CODE_CHALLENGE); @@ -1125,8 +1213,8 @@ public class OAuth2AuthorizationCodeGrantTests { private static String getAuthorizationHeader(RegisteredClient registeredClient) throws Exception { String clientId = registeredClient.getClientId(); String clientSecret = registeredClient.getClientSecret(); - clientId = URLEncoder.encode(clientId, StandardCharsets.UTF_8.name()); - clientSecret = URLEncoder.encode(clientSecret, StandardCharsets.UTF_8.name()); + clientId = URLEncoder.encode(clientId, StandardCharsets.UTF_8); + clientSecret = URLEncoder.encode(clientSecret, StandardCharsets.UTF_8); String credentialsString = clientId + ":" + clientSecret; byte[] encodedBytes = Base64.getEncoder().encode(credentialsString.getBytes(StandardCharsets.UTF_8)); return "Basic " + new String(encodedBytes, StandardCharsets.UTF_8); @@ -1496,4 +1584,28 @@ public class OAuth2AuthorizationCodeGrantTests { } + @EnableWebSecurity + @Configuration(proxyBeanMethods = false) + static class AuthorizationServerConfigurationWithPushedAuthorizationRequestsAndCustomConsentPage + extends AuthorizationServerConfiguration { + + // @formatter:off + @Bean + SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception { + http + .oauth2AuthorizationServer((authorizationServer) -> + authorizationServer + .pushedAuthorizationRequestEndpoint(Customizer.withDefaults()) + .authorizationEndpoint((authorizationEndpoint) -> + authorizationEndpoint.consentPage(consentPage)) + ) + .authorizeHttpRequests((authorize) -> + authorize.anyRequest().authenticated() + ); + return http.build(); + } + // @formatter:on + + } + } diff --git a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeRequestAuthenticationProvider.java b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeRequestAuthenticationProvider.java index 9a51ad71e2..05368c6abb 100644 --- a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeRequestAuthenticationProvider.java +++ b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeRequestAuthenticationProvider.java @@ -21,7 +21,9 @@ import java.time.Instant; import java.util.Arrays; import java.util.Base64; import java.util.Collections; +import java.util.HashMap; import java.util.HashSet; +import java.util.Map; import java.util.Set; import java.util.function.Consumer; import java.util.function.Predicate; @@ -283,8 +285,13 @@ public final class OAuth2AuthorizationCodeRequestAuthenticationProvider implemen Set currentAuthorizedScopes = (currentAuthorizationConsent != null) ? currentAuthorizationConsent.getScopes() : null; + Map additionalParameters = new HashMap<>(); + if (pushedAuthorization != null) { + additionalParameters.put(OAuth2ParameterNames.SCOPE, authorizationRequest.getScopes()); + } + return new OAuth2AuthorizationConsentAuthenticationToken(authorizationRequest.getAuthorizationUri(), - registeredClient.getClientId(), principal, state, currentAuthorizedScopes, null); + registeredClient.getClientId(), principal, state, currentAuthorizedScopes, additionalParameters); } OAuth2TokenContext tokenContext = createAuthorizationCodeTokenContext(authorizationCodeRequestAuthentication, diff --git a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilter.java b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilter.java index 3988198848..f8b44d755f 100644 --- a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilter.java +++ b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilter.java @@ -291,10 +291,20 @@ public final class OAuth2AuthorizationEndpointFilter extends OncePerRequestFilte String clientId = authorizationConsentAuthentication.getClientId(); Authentication principal = (Authentication) authorizationConsentAuthentication.getPrincipal(); - Set requestedScopes = authorizationCodeRequestAuthentication.getScopes(); Set authorizedScopes = authorizationConsentAuthentication.getScopes(); String state = authorizationConsentAuthentication.getState(); + Set requestedScopes; + String requestUri = (String) authorizationCodeRequestAuthentication.getAdditionalParameters() + .get(OAuth2ParameterNames.REQUEST_URI); + if (StringUtils.hasText(requestUri)) { + requestedScopes = (Set) authorizationConsentAuthentication.getAdditionalParameters() + .get(OAuth2ParameterNames.SCOPE); + } + else { + requestedScopes = authorizationCodeRequestAuthentication.getScopes(); + } + if (hasConsentUri()) { String redirectUri = UriComponentsBuilder.fromUriString(resolveConsentUri(request)) .queryParam(OAuth2ParameterNames.SCOPE, String.join(" ", requestedScopes))