Add client_credentials grant type support

Author: alek-sys

core/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2ClientCredentialsAuthenticationProvider.java

@@ -0,0 +1,66 @@
+/*
+ * Copyright 2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.oauth2.server.authorization.authentication;
+
+import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
+import org.springframework.security.oauth2.core.OAuth2Error;
+import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
+import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
+import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
+import org.springframework.security.oauth2.server.authorization.token.TokenIssuer;
+
+/**
+ * An {@link AuthenticationProvider} that converts give {@link OAuth2ClientCredentialsAuthenticationToken} to a {@link OAuth2AccessTokenAuthenticationToken}
+ * using the provided token generator.
+ *
+ * @author Alexey Nesterov
+ */
+public class OAuth2ClientCredentialsAuthenticationProvider implements AuthenticationProvider {
+
+	private final RegisteredClientRepository registeredClientsRepository;
+	private final TokenIssuer<RegisteredClient> tokenIssuer;
+
+	public OAuth2ClientCredentialsAuthenticationProvider(RegisteredClientRepository registeredClientsRepository, TokenIssuer<RegisteredClient> tokenIssuer) {
+		this.registeredClientsRepository = registeredClientsRepository;
+		this.tokenIssuer = tokenIssuer;
+	}
+
+	@Override
+	public Authentication authenticate(Authentication authentication) throws AuthenticationException {
+		final OAuth2ClientCredentialsAuthenticationToken token = (OAuth2ClientCredentialsAuthenticationToken) authentication;
+		final String clientId = token.getPrincipal().toString();
+		final String clientSecret = token.getCredentials().toString();
+
+		RegisteredClient registeredClient = this.registeredClientsRepository.findByClientId(clientId);
+		if (registeredClient == null) {
+			throw new OAuth2AuthenticationException(new OAuth2Error(OAuth2ErrorCodes.INVALID_CLIENT));
+		}
+
+		if (!clientSecret.equals(registeredClient.getClientSecret())) {
+			throw new OAuth2AuthenticationException(new OAuth2Error(OAuth2ErrorCodes.INVALID_CLIENT));
+		}
+
+		return new OAuth2AccessTokenAuthenticationToken(registeredClient, token, this.tokenIssuer.issue(registeredClient));
+	}
+
+	@Override
+	public boolean supports(Class<?> authentication) {
+		return authentication == OAuth2ClientCredentialsAuthenticationToken.class;
+	}
+}

core/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2ClientCredentialsAuthenticationToken.java

@@ -0,0 +1,48 @@
+/*
+ * Copyright 2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.oauth2.server.authorization.authentication;
+
+import java.util.Collections;
+
+import org.springframework.security.authentication.AbstractAuthenticationToken;
+import org.springframework.util.Assert;
+
+public class OAuth2ClientCredentialsAuthenticationToken extends AbstractAuthenticationToken {
+
+	private final String clientId;
+	private final String clientSecret;
+
+	public OAuth2ClientCredentialsAuthenticationToken(String clientId, String clientSecret) {
+		super(Collections.emptyList());
+
+		Assert.hasText(clientId, "clientId cannot be empty");
+		Assert.hasText(clientSecret, "clientId cannot be empty");
+
+		this.clientId = clientId;
+		this.clientSecret = clientSecret;
+	}
+
+	@Override
+	public Object getCredentials() {
+		return this.clientSecret;
+	}
+
+	@Override
+	public Object getPrincipal() {
+		return this.clientId;
+	}
+}

core/src/main/java/org/springframework/security/oauth2/server/authorization/token/TokenIssuer.java

@@ -0,0 +1,25 @@
+/*
+ * Copyright 2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.oauth2.server.authorization.token;
+
+import org.springframework.security.oauth2.core.OAuth2AccessToken;
+
+/**
+ * @author Alexey Nesterov
+ */
+public interface TokenIssuer<PRINCIPAL> {
+	OAuth2AccessToken issue(PRINCIPAL principal);
+}

core/src/main/java/org/springframework/security/oauth2/server/authorization/web/AuthorizationCodeAuthenticationConverter.java

@@ -0,0 +1,85 @@
+/*
+ * Copyright 2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.oauth2.server.authorization.web;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.springframework.core.convert.converter.Converter;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.oauth2.core.AuthorizationGrantType;
+import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
+import org.springframework.security.oauth2.core.OAuth2Error;
+import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
+import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
+import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeAuthenticationToken;
+import org.springframework.util.MultiValueMap;
+import org.springframework.util.StringUtils;
+
+class AuthorizationCodeAuthenticationConverter implements Converter<HttpServletRequest, Authentication> {
+
+	@Override
+	public Authentication convert(HttpServletRequest request) {
+		MultiValueMap<String, String> parameters = OAuth2EndpointUtils.getParameters(request);
+
+		// grant_type (REQUIRED)
+		String grantType = parameters.getFirst(OAuth2ParameterNames.GRANT_TYPE);
+		if (!StringUtils.hasText(grantType) ||
+				parameters.get(OAuth2ParameterNames.GRANT_TYPE).size() != 1) {
+			throwError(OAuth2ErrorCodes.INVALID_REQUEST, OAuth2ParameterNames.GRANT_TYPE);
+		}
+		if (!AuthorizationGrantType.AUTHORIZATION_CODE.getValue().equals(grantType)) {
+			throwError(OAuth2ErrorCodes.UNSUPPORTED_GRANT_TYPE, OAuth2ParameterNames.GRANT_TYPE);
+		}
+
+		// client_id (REQUIRED)
+		String clientId = parameters.getFirst(OAuth2ParameterNames.CLIENT_ID);
+		Authentication clientPrincipal = null;
+		if (StringUtils.hasText(clientId)) {
+			if (parameters.get(OAuth2ParameterNames.CLIENT_ID).size() != 1) {
+				throwError(OAuth2ErrorCodes.INVALID_REQUEST, OAuth2ParameterNames.CLIENT_ID);
+			}
+		} else {
+			clientPrincipal = SecurityContextHolder.getContext().getAuthentication();
+		}
+
+		// code (REQUIRED)
+		String code = parameters.getFirst(OAuth2ParameterNames.CODE);
+		if (!StringUtils.hasText(code) ||
+				parameters.get(OAuth2ParameterNames.CODE).size() != 1) {
+			throwError(OAuth2ErrorCodes.INVALID_REQUEST, OAuth2ParameterNames.CODE);
+		}
+
+		// redirect_uri (REQUIRED)
+		// Required only if the "redirect_uri" parameter was included in the authorization request
+		String redirectUri = parameters.getFirst(OAuth2ParameterNames.REDIRECT_URI);
+		if (StringUtils.hasText(redirectUri) &&
+				parameters.get(OAuth2ParameterNames.REDIRECT_URI).size() != 1) {
+			throwError(OAuth2ErrorCodes.INVALID_REQUEST, OAuth2ParameterNames.REDIRECT_URI);
+		}
+
+		return clientPrincipal != null ?
+				new OAuth2AuthorizationCodeAuthenticationToken(code, clientPrincipal, redirectUri) :
+				new OAuth2AuthorizationCodeAuthenticationToken(code, clientId, redirectUri);
+	}
+
+	private void throwError(String errorCode, String parameterName) {
+		OAuth2Error error = new OAuth2Error(errorCode, "OAuth 2.0 Parameter: " + parameterName,
+				"https://tools.ietf.org/html/rfc6749#section-5.2");
+		throw new OAuth2AuthenticationException(error);
+	}
+}

core/src/main/java/org/springframework/security/oauth2/server/authorization/web/ClientCredentialsAuthenticationConverter.java

@@ -0,0 +1,68 @@
+/*
+ * Copyright 2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.oauth2.server.authorization.web;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.springframework.core.convert.converter.Converter;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.oauth2.core.AuthorizationGrantType;
+import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
+import org.springframework.security.oauth2.core.OAuth2Error;
+import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
+import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
+import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientCredentialsAuthenticationToken;
+import org.springframework.util.MultiValueMap;
+import org.springframework.util.StringUtils;
+
+class ClientCredentialsAuthenticationConverter implements Converter<HttpServletRequest, Authentication> {
+
+	@Override
+	public Authentication convert(HttpServletRequest request) {
+		MultiValueMap<String, String> parameters = OAuth2EndpointUtils.getParameters(request);
+
+		// grant_type (REQUIRED)
+		String grantType = parameters.getFirst(OAuth2ParameterNames.GRANT_TYPE);
+		if (!StringUtils.hasText(grantType) ||
+				parameters.get(OAuth2ParameterNames.GRANT_TYPE).size() != 1) {
+			throwError(OAuth2ErrorCodes.INVALID_REQUEST, OAuth2ParameterNames.GRANT_TYPE);
+		}
+		if (!AuthorizationGrantType.CLIENT_CREDENTIALS.getValue().equals(grantType)) {
+			throwError(OAuth2ErrorCodes.UNSUPPORTED_GRANT_TYPE, OAuth2ParameterNames.GRANT_TYPE);
+		}
+
+		// client_id (REQUIRED)
+		String clientId = parameters.getFirst(OAuth2ParameterNames.CLIENT_ID);
+		if (!StringUtils.hasText(clientId)) {
+			throwError(OAuth2ErrorCodes.INVALID_REQUEST, OAuth2ParameterNames.CLIENT_ID);
+		}
+
+		// client_secret (REQUIRED)
+		String clientSecret = parameters.getFirst(OAuth2ParameterNames.CLIENT_SECRET);
+		if (!StringUtils.hasText(clientSecret)) {
+			throwError(OAuth2ErrorCodes.INVALID_REQUEST, OAuth2ParameterNames.CLIENT_SECRET);
+		}
+
+		return new OAuth2ClientCredentialsAuthenticationToken(clientId, clientSecret);
+	}
+
+	private void throwError(String errorCode, String parameterName) {
+		OAuth2Error error = new OAuth2Error(errorCode, "OAuth 2.0 Parameter: " + parameterName,
+				"https://tools.ietf.org/html/rfc6749#section-5.2");
+		throw new OAuth2AuthenticationException(error);
+	}
+}