Implement User Info Endpoint

Author: Steve Riesenberg

oauth2-authorization-server/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OidcConfigurer.java

@@ -36,9 +36,11 @@
  * @since 0.2.0
  * @see OAuth2AuthorizationServerConfigurer#oidc
  * @see OidcClientRegistrationEndpointConfigurer
+ * @see OidcUserInfoEndpointConfigurer
  * @see OidcProviderConfigurationEndpointFilter
  */
 public final class OidcConfigurer extends AbstractOAuth2Configurer {
+	private final OidcUserInfoEndpointConfigurer userInfoEndpointConfigurer;
 	private OidcClientRegistrationEndpointConfigurer clientRegistrationEndpointConfigurer;
 	private RequestMatcher requestMatcher;
 
@@ -47,6 +49,7 @@ public final class OidcConfigurer extends AbstractOAuth2Configurer {
 	 */
 	OidcConfigurer(ObjectPostProcessor<Object> objectPostProcessor) {
 		super(objectPostProcessor);
+		this.userInfoEndpointConfigurer = new OidcUserInfoEndpointConfigurer(objectPostProcessor);
 	}
 
 	/**
@@ -63,8 +66,20 @@ public OidcConfigurer clientRegistrationEndpoint(Customizer<OidcClientRegistrati
 		return this;
 	}
 
+	/**
+	 * Configures the OpenID Connect 1.0 UserInfo Endpoint.
+	 *
+	 * @param userInfoEndpointCustomizer the {@link Customizer} providing access to the {@link OidcUserInfoEndpointConfigurer}
+	 * @return the {@link OidcConfigurer} for further configuration
+	 */
+	public OidcConfigurer userInfoEndpoint(Customizer<OidcUserInfoEndpointConfigurer> userInfoEndpointCustomizer) {
+		userInfoEndpointCustomizer.customize(this.userInfoEndpointConfigurer);
+		return this;
+	}
+
 	@Override
 	<B extends HttpSecurityBuilder<B>> void init(B builder) {
+		this.userInfoEndpointConfigurer.init(builder);
 		if (this.clientRegistrationEndpointConfigurer != null) {
 			this.clientRegistrationEndpointConfigurer.init(builder);
 		}
@@ -75,14 +90,16 @@ <B extends HttpSecurityBuilder<B>> void init(B builder) {
 			requestMatchers.add(new AntPathRequestMatcher(
 					"/.well-known/openid-configuration", HttpMethod.GET.name()));
 		}
+		requestMatchers.add(this.userInfoEndpointConfigurer.getRequestMatcher());
 		if (this.clientRegistrationEndpointConfigurer != null) {
 			requestMatchers.add(this.clientRegistrationEndpointConfigurer.getRequestMatcher());
 		}
-		this.requestMatcher = !requestMatchers.isEmpty() ? new OrRequestMatcher(requestMatchers) : request -> false;
+		this.requestMatcher = requestMatchers.size() > 1 ? new OrRequestMatcher(requestMatchers) : requestMatchers.get(0);
 	}
 
 	@Override
 	<B extends HttpSecurityBuilder<B>> void configure(B builder) {
+		this.userInfoEndpointConfigurer.configure(builder);
 		if (this.clientRegistrationEndpointConfigurer != null) {
 			this.clientRegistrationEndpointConfigurer.configure(builder);
 		}

oauth2-authorization-server/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OidcUserInfoEndpointConfigurer.java

@@ -0,0 +1,112 @@
+/*
+ * Copyright 2020-2021 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.config.annotation.web.configurers.oauth2.server.authorization;
+
+import java.util.function.Function;
+
+import org.springframework.http.HttpMethod;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.config.annotation.ObjectPostProcessor;
+import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
+import org.springframework.security.oauth2.core.OAuth2AccessToken;
+import org.springframework.security.oauth2.core.OAuth2Token;
+import org.springframework.security.oauth2.core.authentication.OAuth2AuthenticationContext;
+import org.springframework.security.oauth2.core.oidc.OidcIdToken;
+import org.springframework.security.oauth2.core.oidc.OidcUserInfo;
+import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
+import org.springframework.security.oauth2.server.authorization.config.ProviderSettings;
+import org.springframework.security.oauth2.server.authorization.oidc.authentication.OidcUserInfoAuthenticationProvider;
+import org.springframework.security.oauth2.server.authorization.oidc.authentication.OidcUserInfoAuthenticationToken;
+import org.springframework.security.oauth2.server.authorization.oidc.web.OidcUserInfoEndpointFilter;
+import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+import org.springframework.security.web.util.matcher.OrRequestMatcher;
+import org.springframework.security.web.util.matcher.RequestMatcher;
+
+/**
+ * Configurer for OpenID Connect 1.0 UserInfo Endpoint.
+ *
+ * @author Steve Riesenberg
+ * @since 0.2.1
+ * @see OidcConfigurer#userInfoEndpoint
+ * @see OidcUserInfoEndpointFilter
+ */
+public final class OidcUserInfoEndpointConfigurer extends AbstractOAuth2Configurer {
+	private RequestMatcher requestMatcher;
+	private Function<OAuth2AuthenticationContext, OidcUserInfo> userInfoMapper;
+
+	/**
+	 * Restrict for internal use only.
+	 */
+	OidcUserInfoEndpointConfigurer(ObjectPostProcessor<Object> objectPostProcessor) {
+		super(objectPostProcessor);
+	}
+
+	/**
+	 * Sets the {@link Function} used to extract claims from an {@link OAuth2AuthenticationContext}
+	 * to an instance of {@link OidcUserInfo}.
+	 *
+	 * <p>
+	 * The {@link OAuth2AuthenticationContext} gives the mapper access to the {@link OidcUserInfoAuthenticationToken}.
+	 * In addition, the following context attributes are supported:
+	 * <ul>
+	 * <li>{@code OAuth2Token.class} - The {@link OAuth2Token} containing the bearer token used to make the request.</li>
+	 * <li>{@code OAuth2Authorization.class} - The {@link OAuth2Authorization} containing the {@link OidcIdToken} and
+	 * {@link OAuth2AccessToken} associated with the bearer token used to make the request.</li>
+	 * </ul>
+	 *
+	 * @param userInfoMapper the {@link Function} used to extract claims from an {@link OAuth2AuthenticationContext} to an instance of {@link OidcUserInfo}
+	 * @return the {@link OidcUserInfoEndpointConfigurer} for further configuration
+	 */
+	public OidcUserInfoEndpointConfigurer userInfoMapper(Function<OAuth2AuthenticationContext, OidcUserInfo> userInfoMapper) {
+		this.userInfoMapper = userInfoMapper;
+		return this;
+	}
+
+	@Override
+	<B extends HttpSecurityBuilder<B>> void init(B builder) {
+		ProviderSettings providerSettings = OAuth2ConfigurerUtils.getProviderSettings(builder);
+		String userInfoEndpointUri = providerSettings.getOidcUserInfoEndpoint();
+		this.requestMatcher = new OrRequestMatcher(
+				new AntPathRequestMatcher(userInfoEndpointUri, HttpMethod.GET.name()),
+				new AntPathRequestMatcher(userInfoEndpointUri, HttpMethod.POST.name()));
+
+		OidcUserInfoAuthenticationProvider oidcUserInfoAuthenticationProvider =
+				new OidcUserInfoAuthenticationProvider(
+						OAuth2ConfigurerUtils.getAuthorizationService(builder));
+		if (this.userInfoMapper != null) {
+			oidcUserInfoAuthenticationProvider.setUserInfoMapper(this.userInfoMapper);
+		}
+		builder.authenticationProvider(postProcess(oidcUserInfoAuthenticationProvider));
+	}
+
+	@Override
+	<B extends HttpSecurityBuilder<B>> void configure(B builder) {
+		AuthenticationManager authenticationManager = builder.getSharedObject(AuthenticationManager.class);
+		ProviderSettings providerSettings = OAuth2ConfigurerUtils.getProviderSettings(builder);
+
+		OidcUserInfoEndpointFilter oidcUserInfoEndpointFilter =
+				new OidcUserInfoEndpointFilter(
+						authenticationManager,
+						providerSettings.getOidcUserInfoEndpoint());
+		builder.addFilterAfter(postProcess(oidcUserInfoEndpointFilter), FilterSecurityInterceptor.class);
+	}
+
+	@Override
+	RequestMatcher getRequestMatcher() {
+		return this.requestMatcher;
+	}
+}

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/core/oidc/http/converter/OidcUserInfoHttpMessageConverter.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2020 the original author or authors.
+ * Copyright 2020-2021 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -15,44 +15,46 @@
  */
 package org.springframework.security.oauth2.core.oidc.http.converter;
 
+import java.time.Instant;
+import java.util.HashMap;
+import java.util.Map;
+
 import org.springframework.core.ParameterizedTypeReference;
 import org.springframework.core.convert.TypeDescriptor;
 import org.springframework.core.convert.converter.Converter;
 import org.springframework.http.HttpInputMessage;
 import org.springframework.http.HttpOutputMessage;
 import org.springframework.http.MediaType;
-import org.springframework.http.converter.HttpMessageConverter;
+import org.springframework.http.converter.AbstractHttpMessageConverter;
 import org.springframework.http.converter.GenericHttpMessageConverter;
-import org.springframework.http.converter.HttpMessageNotWritableException;
+import org.springframework.http.converter.HttpMessageConverter;
 import org.springframework.http.converter.HttpMessageNotReadableException;
-import org.springframework.http.converter.AbstractHttpMessageConverter;
+import org.springframework.http.converter.HttpMessageNotWritableException;
 import org.springframework.security.oauth2.core.converter.ClaimConversionService;
 import org.springframework.security.oauth2.core.converter.ClaimTypeConverter;
 import org.springframework.security.oauth2.core.oidc.OidcUserInfo;
 import org.springframework.security.oauth2.core.oidc.StandardClaimNames;
 import org.springframework.util.Assert;
 
-import java.util.HashMap;
-import java.util.Map;
-
 /**
- * A {@link HttpMessageConverter} for an {@link OidcUserInfo OIDC User Info Response}.
+ * A {@link HttpMessageConverter} for an {@link OidcUserInfo OpenID Connect UserInfo Request and Response}.
  *
  * @author Ido Salomon
+ * @author Steve Riesenberg
+ * @since 0.2.1
  * @see AbstractHttpMessageConverter
  * @see OidcUserInfo
- * @since 0.1.1
  */
 public class OidcUserInfoHttpMessageConverter extends AbstractHttpMessageConverter<OidcUserInfo> {
 
 	private static final ParameterizedTypeReference<Map<String, Object>> STRING_OBJECT_MAP =
-			new ParameterizedTypeReference<Map<String, Object>>() {
-			};
+			new ParameterizedTypeReference<Map<String, Object>>() {};
 
-	private final GenericHttpMessageConverter<Object> jsonMessageConverter = HttpMessageConverters.getJsonMessageConverter();
+	private final GenericHttpMessageConverter<Object> jsonMessageConverter =
+			HttpMessageConverters.getJsonMessageConverter();
 
-	private Converter<Map<String, Object>, OidcUserInfo> oidcUserInfoConverter = new OidcUserInfoConverter();
-	private Converter<OidcUserInfo, Map<String, Object>> oidcUserInfoParametersConverter = OidcUserInfo::getClaims;
+	private Converter<Map<String, Object>, OidcUserInfo> userInfoConverter = new MapOidcUserInfoConverter();
+	private Converter<OidcUserInfo, Map<String, Object>> userInfoParametersConverter = OidcUserInfo::getClaims;
 
 	public OidcUserInfoHttpMessageConverter() {
 		super(MediaType.APPLICATION_JSON, new MediaType("application", "*+json"));
@@ -68,90 +70,95 @@ protected boolean supports(Class<?> clazz) {
 	protected OidcUserInfo readInternal(Class<? extends OidcUserInfo> clazz, HttpInputMessage inputMessage)
 			throws HttpMessageNotReadableException {
 		try {
-			Map<String, Object> oidcUserInfoParameters =
+			Map<String, Object> userInfoParameters =
 					(Map<String, Object>) this.jsonMessageConverter.read(STRING_OBJECT_MAP.getType(), null, inputMessage);
-			return this.oidcUserInfoConverter.convert(oidcUserInfoParameters);
+			return this.userInfoConverter.convert(userInfoParameters);
 		} catch (Exception ex) {
 			throw new HttpMessageNotReadableException(
-					"An error occurred reading the OIDC User Info: " + ex.getMessage(), ex, inputMessage);
+					"An error occurred reading the UserInfo: " + ex.getMessage(), ex, inputMessage);
 		}
 	}
 
 	@Override
 	protected void writeInternal(OidcUserInfo oidcUserInfo, HttpOutputMessage outputMessage)
 			throws HttpMessageNotWritableException {
 		try {
-			Map<String, Object> oidcUserInfoResponseParameters =
-					this.oidcUserInfoParametersConverter.convert(oidcUserInfo);
+			Map<String, Object> userInfoResponseParameters =
+					this.userInfoParametersConverter.convert(oidcUserInfo);
 			this.jsonMessageConverter.write(
-					oidcUserInfoResponseParameters,
+					userInfoResponseParameters,
 					STRING_OBJECT_MAP.getType(),
 					MediaType.APPLICATION_JSON,
 					outputMessage
 			);
 		} catch (Exception ex) {
 			throw new HttpMessageNotWritableException(
-					"An error occurred writing the OIDC User Info response: " + ex.getMessage(), ex);
+					"An error occurred writing the UserInfo response: " + ex.getMessage(), ex);
 		}
 	}
 
 	/**
-	 * Sets the {@link Converter} used for converting the OIDC User Info parameters
+	 * Sets the {@link Converter} used for converting the UserInfo parameters
 	 * to an {@link OidcUserInfo}.
 	 *
-	 * @param oidcUserInfoConverter the {@link Converter} used for converting to an
-	 *                              {@link OidcUserInfo}
+	 * @param userInfoConverter the {@link Converter} used for converting to an
+	 * {@link OidcUserInfo}
 	 */
-	public final void setOidcUserInfoConverter(Converter<Map<String, Object>, OidcUserInfo> oidcUserInfoConverter) {
-		Assert.notNull(oidcUserInfoConverter, "oidcUserInfoConverter cannot be null");
-		this.oidcUserInfoConverter = oidcUserInfoConverter;
+	public final void setUserInfoConverter(Converter<Map<String, Object>, OidcUserInfo> userInfoConverter) {
+		Assert.notNull(userInfoConverter, "userInfoConverter cannot be null");
+		this.userInfoConverter = userInfoConverter;
 	}
 
 	/**
 	 * Sets the {@link Converter} used for converting the {@link OidcUserInfo} to a
-	 * {@code Map} representation of the OIDC User Info.
+	 * {@code Map} representation of the UserInfo.
 	 *
-	 * @param oidcUserInfoParametersConverter the {@link Converter} used for converting to a
-	 *                                        {@code Map} representation of the OIDC User Info
+	 * @param userInfoParametersConverter the {@link Converter} used for converting to a
+	 * {@code Map} representation of the UserInfo
 	 */
-	public final void setOidcUserInfoParametersConverter(
-			Converter<OidcUserInfo, Map<String, Object>> oidcUserInfoParametersConverter) {
-		Assert.notNull(oidcUserInfoParametersConverter, "oidcUserInfoParametersConverter cannot be null");
-		this.oidcUserInfoParametersConverter = oidcUserInfoParametersConverter;
+	public final void setUserInfoParametersConverter(
+			Converter<OidcUserInfo, Map<String, Object>> userInfoParametersConverter) {
+		Assert.notNull(userInfoParametersConverter, "userInfoParametersConverter cannot be null");
+		this.userInfoParametersConverter = userInfoParametersConverter;
 	}
 
-	private static final class OidcUserInfoConverter implements Converter<Map<String, Object>, OidcUserInfo> {
+	private static final class MapOidcUserInfoConverter implements Converter<Map<String, Object>, OidcUserInfo> {
+
 		private static final ClaimConversionService CLAIM_CONVERSION_SERVICE = ClaimConversionService.getSharedInstance();
 		private static final TypeDescriptor OBJECT_TYPE_DESCRIPTOR = TypeDescriptor.valueOf(Object.class);
 		private static final TypeDescriptor BOOLEAN_TYPE_DESCRIPTOR = TypeDescriptor.valueOf(Boolean.class);
 		private static final TypeDescriptor STRING_TYPE_DESCRIPTOR = TypeDescriptor.valueOf(String.class);
+		private static final TypeDescriptor INSTANT_TYPE_DESCRIPTOR = TypeDescriptor.valueOf(Instant.class);
+		private static final TypeDescriptor STRING_OBJECT_MAP_DESCRIPTOR = TypeDescriptor.map(Map.class, STRING_TYPE_DESCRIPTOR, OBJECT_TYPE_DESCRIPTOR);
 		private final ClaimTypeConverter claimTypeConverter;
 
-		private OidcUserInfoConverter() {
-			Converter<Object, ?> stringConverter = getConverter(STRING_TYPE_DESCRIPTOR);
+		private MapOidcUserInfoConverter() {
 			Converter<Object, ?> booleanConverter = getConverter(BOOLEAN_TYPE_DESCRIPTOR);
+			Converter<Object, ?> stringConverter = getConverter(STRING_TYPE_DESCRIPTOR);
+			Converter<Object, ?> instantConverter = getConverter(INSTANT_TYPE_DESCRIPTOR);
+			Converter<Object, ?> mapConverter = getConverter(STRING_OBJECT_MAP_DESCRIPTOR);
 
 			Map<String, Converter<Object, ?>> claimConverters = new HashMap<>();
 			claimConverters.put(StandardClaimNames.SUB, stringConverter);
-			claimConverters.put(StandardClaimNames.PROFILE, stringConverter);
-			claimConverters.put(StandardClaimNames.ADDRESS, stringConverter);
-			claimConverters.put(StandardClaimNames.BIRTHDATE, stringConverter);
-			claimConverters.put(StandardClaimNames.EMAIL, stringConverter);
-			claimConverters.put(StandardClaimNames.EMAIL_VERIFIED, booleanConverter);
 			claimConverters.put(StandardClaimNames.NAME, stringConverter);
 			claimConverters.put(StandardClaimNames.GIVEN_NAME, stringConverter);
-			claimConverters.put(StandardClaimNames.MIDDLE_NAME, stringConverter);
 			claimConverters.put(StandardClaimNames.FAMILY_NAME, stringConverter);
+			claimConverters.put(StandardClaimNames.MIDDLE_NAME, stringConverter);
 			claimConverters.put(StandardClaimNames.NICKNAME, stringConverter);
 			claimConverters.put(StandardClaimNames.PREFERRED_USERNAME, stringConverter);
-			claimConverters.put(StandardClaimNames.LOCALE, stringConverter);
-			claimConverters.put(StandardClaimNames.GENDER, stringConverter);
-			claimConverters.put(StandardClaimNames.PHONE_NUMBER, stringConverter);
-			claimConverters.put(StandardClaimNames.PHONE_NUMBER_VERIFIED, stringConverter);
+			claimConverters.put(StandardClaimNames.PROFILE, stringConverter);
 			claimConverters.put(StandardClaimNames.PICTURE, stringConverter);
-			claimConverters.put(StandardClaimNames.ZONEINFO, stringConverter);
 			claimConverters.put(StandardClaimNames.WEBSITE, stringConverter);
-			claimConverters.put(StandardClaimNames.UPDATED_AT, stringConverter);
+			claimConverters.put(StandardClaimNames.EMAIL, stringConverter);
+			claimConverters.put(StandardClaimNames.EMAIL_VERIFIED, booleanConverter);
+			claimConverters.put(StandardClaimNames.GENDER, stringConverter);
+			claimConverters.put(StandardClaimNames.BIRTHDATE, stringConverter);
+			claimConverters.put(StandardClaimNames.ZONEINFO, stringConverter);
+			claimConverters.put(StandardClaimNames.LOCALE, stringConverter);
+			claimConverters.put(StandardClaimNames.PHONE_NUMBER, stringConverter);
+			claimConverters.put(StandardClaimNames.PHONE_NUMBER_VERIFIED, booleanConverter);
+			claimConverters.put(StandardClaimNames.ADDRESS, mapConverter);
+			claimConverters.put(StandardClaimNames.UPDATED_AT, instantConverter);
 
 			this.claimTypeConverter = new ClaimTypeConverter(claimConverters);
 		}

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/ConfigurationSettingNames.java

@@ -94,6 +94,11 @@ public static final class Provider {
 		 */
 		public static final String OIDC_CLIENT_REGISTRATION_ENDPOINT = PROVIDER_SETTINGS_NAMESPACE.concat("oidc-client-registration-endpoint");
 
+		/**
+		 * Set the Provider's OpenID Connect 1.0 UserInfo endpoint.
+		 */
+		public static final String OIDC_USER_INFO_ENDPOINT = PROVIDER_SETTINGS_NAMESPACE.concat("oidc-user-info-endpoint");
+
 		private Provider() {
 		}