Add client_credentials grant type support

Author: alek-sys

config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2AuthorizationServerConfigurer.java

@@ -26,6 +26,7 @@
 import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
 import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeAuthenticationProvider;
 import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationProvider;
+import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientCredentialsAuthenticationProvider;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
 import org.springframework.security.oauth2.server.authorization.web.OAuth2AuthorizationEndpointFilter;
 import org.springframework.security.oauth2.server.authorization.web.OAuth2ClientAuthenticationFilter;
@@ -88,7 +89,12 @@ public void init(B builder) {
 				new OAuth2AuthorizationCodeAuthenticationProvider(
 						getRegisteredClientRepository(builder),
 						getAuthorizationService(builder));
+
+		OAuth2ClientCredentialsAuthenticationProvider clientCredentialsAuthenticationProvider
+				= new OAuth2ClientCredentialsAuthenticationProvider();
+
 		builder.authenticationProvider(postProcess(authorizationCodeAuthenticationProvider));
+		builder.authenticationProvider(postProcess(clientCredentialsAuthenticationProvider));
 	}
 
 	@Override

core/spring-authorization-server-core.gradle

@@ -17,6 +17,7 @@ dependencies {
 	testCompile 'org.assertj:assertj-core'
 	testCompile 'org.mockito:mockito-core'
 	testCompile 'com.squareup.okhttp3:mockwebserver'
+	testCompile 'com.jayway.jsonpath:json-path'
 
 	provided 'javax.servlet:javax.servlet-api'
 }

core/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2ClientCredentialsAuthenticationProvider.java

@@ -0,0 +1,81 @@
+/*
+ * Copyright 2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.oauth2.server.authorization.authentication;
+
+import java.time.Instant;
+import java.time.temporal.ChronoUnit;
+import java.util.Base64;
+import java.util.Set;
+
+import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.crypto.keygen.Base64StringKeyGenerator;
+import org.springframework.security.crypto.keygen.StringKeyGenerator;
+import org.springframework.security.oauth2.core.OAuth2AccessToken;
+import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
+import org.springframework.security.oauth2.core.OAuth2Error;
+import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
+
+/**
+ * An {@link AuthenticationProvider} that converts give {@link OAuth2ClientAuthenticationToken} to a {@link OAuth2AccessTokenAuthenticationToken}
+ * using the provided token generator.
+ *
+ * @author Alexey Nesterov
+ */
+public class OAuth2ClientCredentialsAuthenticationProvider implements AuthenticationProvider {
+
+	private final StringKeyGenerator accessTokenGenerator = new Base64StringKeyGenerator(Base64.getUrlEncoder());
+
+	@Override
+	public Authentication authenticate(Authentication authentication) throws AuthenticationException {
+		OAuth2ClientCredentialsAuthenticationToken clientCredentialsAuthenticationToken =
+				(OAuth2ClientCredentialsAuthenticationToken) authentication;
+
+		OAuth2ClientAuthenticationToken clientPrincipal = null;
+		if (OAuth2ClientAuthenticationToken.class.isAssignableFrom(clientCredentialsAuthenticationToken.getPrincipal().getClass())) {
+			clientPrincipal = (OAuth2ClientAuthenticationToken) clientCredentialsAuthenticationToken.getPrincipal();
+		}
+
+		if (clientPrincipal == null || !clientPrincipal.isAuthenticated()) {
+			throw new OAuth2AuthenticationException(new OAuth2Error(OAuth2ErrorCodes.INVALID_CLIENT));
+		}
+
+		Set<String> clientScopes = clientPrincipal.getRegisteredClient().getScopes();
+		Set<String> requestedScopes = clientCredentialsAuthenticationToken.getScopes();
+		if (!clientScopes.containsAll(requestedScopes)) {
+			throw new OAuth2AuthenticationException(new OAuth2Error(OAuth2ErrorCodes.INVALID_SCOPE));
+		}
+
+		if (requestedScopes == null || requestedScopes.isEmpty()) {
+			requestedScopes = clientScopes;
+		}
+
+		String tokenValue = this.accessTokenGenerator.generateKey();
+		Instant issuedAt = Instant.now();
+		Instant expiresAt = issuedAt.plus(1, ChronoUnit.HOURS);		// TODO Allow configuration for access token lifespan
+		OAuth2AccessToken accessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER,
+				tokenValue, issuedAt, expiresAt, requestedScopes);
+
+		return new OAuth2AccessTokenAuthenticationToken(
+				clientPrincipal.getRegisteredClient(), clientPrincipal, accessToken);
+	}
+
+	@Override
+	public boolean supports(Class<?> authentication) {
+		return OAuth2ClientCredentialsAuthenticationToken.class.isAssignableFrom(authentication);
+	}
+}

core/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2ClientCredentialsAuthenticationToken.java

@@ -0,0 +1,57 @@
+/*
+ * Copyright 2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.oauth2.server.authorization.authentication;
+
+import java.util.Collections;
+import java.util.Set;
+
+import org.springframework.security.authentication.AbstractAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.util.Assert;
+
+public class OAuth2ClientCredentialsAuthenticationToken extends AbstractAuthenticationToken {
+
+	private final Authentication clientPrincipal;
+	private final Set<String> scopes;
+
+	public OAuth2ClientCredentialsAuthenticationToken(OAuth2ClientAuthenticationToken clientPrincipal, Set<String> scopes) {
+		super(Collections.emptyList());
+		Assert.notNull(clientPrincipal, "clientPrincipal cannot be null");
+		Assert.notNull(scopes, "scopes cannot be null");
+		this.clientPrincipal = clientPrincipal;
+		this.scopes = scopes;
+	}
+
+	@SuppressWarnings("unchecked")
+	public OAuth2ClientCredentialsAuthenticationToken(OAuth2ClientAuthenticationToken clientPrincipal) {
+		this(clientPrincipal, Collections.EMPTY_SET);
+	}
+
+	@Override
+	public Object getCredentials() {
+		return "";
+	}
+
+	@Override
+	public Object getPrincipal() {
+		return this.clientPrincipal;
+	}
+
+	public Set<String> getScopes() {
+		return this.scopes;
+	}
+}

core/src/main/java/org/springframework/security/oauth2/server/authorization/web/DelegatingAuthorizationGrantAuthenticationConverter.java

@@ -0,0 +1,51 @@
+/*
+ * Copyright 2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.oauth2.server.authorization.web;
+
+import javax.servlet.http.HttpServletRequest;
+import java.util.Collections;
+import java.util.Map;
+
+import org.springframework.core.convert.converter.Converter;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.oauth2.core.AuthorizationGrantType;
+import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
+import org.springframework.util.StringUtils;
+
+public final class DelegatingAuthorizationGrantAuthenticationConverter implements Converter<HttpServletRequest, Authentication> {
+
+	private final Map<AuthorizationGrantType, Converter<HttpServletRequest, Authentication>> converters;
+
+	DelegatingAuthorizationGrantAuthenticationConverter(Map<AuthorizationGrantType, Converter<HttpServletRequest, Authentication>> converters) {
+		this.converters = Collections.unmodifiableMap(converters);
+	}
+
+	@Override
+	public Authentication convert(HttpServletRequest request) {
+		String grantType = request.getParameter(OAuth2ParameterNames.GRANT_TYPE);
+		if (StringUtils.isEmpty(grantType)) {
+			return null;
+		}
+
+		Converter<HttpServletRequest, Authentication> converter = this.converters.get(new AuthorizationGrantType(grantType));
+		if (converter == null) {
+			return null;
+		}
+
+		return converter.convert(request);
+	}
+}

core/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2ScopeParser.java

@@ -0,0 +1,46 @@
+/*
+ * Copyright 2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.oauth2.server.authorization.web;
+
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.Set;
+
+/**
+ * Parses scope parameter according to 3.3 section of the spec.
+ *
+ * @see <a href="https://tools.ietf.org/html/rfc6749#section-3.3" target="_blank">3.3.  Access Token Scope</a>
+ */
+class OAuth2ScopeParser {
+
+	//  scope-token = 1*( %x21 / %x23-5B / %x5D-7E )
+	//  scope       = scope-token *( SP scope-token )
+	private static final String SCOPE_TOKEN = "[\\x21\\x23-\\x5B\\x5D-\\x7E]+";
+	private static final String SCOPE = "^" + SCOPE_TOKEN + "(?:\\ " + SCOPE_TOKEN + ")*$";
+
+	static class InvalidScopeFormatException extends Exception {
+	}
+
+	Set<String> parse(String scope) throws InvalidScopeFormatException {
+		if (!scope.matches(SCOPE)) {
+			throw new InvalidScopeFormatException();
+		}
+
+		String[] scopes = scope.split(" ");
+		return new HashSet<>(Arrays.asList(scopes));
+	}
+}

core/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2TokenEndpointFilter.java

@@ -15,6 +15,16 @@
  */
 package org.springframework.security.oauth2.server.authorization.web;
 
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.time.temporal.ChronoUnit;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Set;
+
 import org.springframework.core.convert.converter.Converter;
 import org.springframework.http.HttpMethod;
 import org.springframework.http.HttpStatus;
@@ -35,20 +45,15 @@
 import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
 import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AccessTokenAuthenticationToken;
 import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeAuthenticationToken;
+import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationToken;
+import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientCredentialsAuthenticationToken;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.util.Assert;
 import org.springframework.util.MultiValueMap;
 import org.springframework.util.StringUtils;
 import org.springframework.web.filter.OncePerRequestFilter;
 
-import javax.servlet.FilterChain;
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import java.io.IOException;
-import java.time.temporal.ChronoUnit;
-
 /**
  * A {@code Filter} for the OAuth 2.0 Authorization Code Grant,
  * which handles the processing of the OAuth 2.0 Access Token Request.
@@ -86,8 +91,8 @@ public class OAuth2TokenEndpointFilter extends OncePerRequestFilter {
 	private final AuthenticationManager authenticationManager;
 	private final OAuth2AuthorizationService authorizationService;
 	private final RequestMatcher tokenEndpointMatcher;
-	private final Converter<HttpServletRequest, Authentication> authorizationGrantAuthenticationConverter =
-			new AuthorizationCodeAuthenticationConverter();
+	private final Converter<HttpServletRequest, Authentication> authorizationGrantAuthenticationConverter;
+
 	private final HttpMessageConverter<OAuth2AccessTokenResponse> accessTokenHttpResponseConverter =
 			new OAuth2AccessTokenResponseHttpMessageConverter();
 	private final HttpMessageConverter<OAuth2Error> errorHttpResponseConverter =
@@ -119,6 +124,11 @@ public OAuth2TokenEndpointFilter(AuthenticationManager authenticationManager,
 		this.authenticationManager = authenticationManager;
 		this.authorizationService = authorizationService;
 		this.tokenEndpointMatcher = new AntPathRequestMatcher(tokenEndpointUri, HttpMethod.POST.name());
+
+		Map<AuthorizationGrantType, Converter<HttpServletRequest, Authentication>> converters = new HashMap<>();
+		converters.put(AuthorizationGrantType.AUTHORIZATION_CODE, new AuthorizationCodeAuthenticationConverter());
+		converters.put(AuthorizationGrantType.CLIENT_CREDENTIALS, new ClientCredentialsAuthenticationConverter());
+		this.authorizationGrantAuthenticationConverter = new DelegatingAuthorizationGrantAuthenticationConverter(converters);
 	}
 
 	@Override
@@ -131,8 +141,11 @@ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse
 		}
 
 		try {
-			Authentication authorizationGrantAuthentication =
-					this.authorizationGrantAuthenticationConverter.convert(request);
+			Authentication authorizationGrantAuthentication = this.authorizationGrantAuthenticationConverter.convert(request);
+			if (authorizationGrantAuthentication == null) {
+				throwError(OAuth2ErrorCodes.UNSUPPORTED_GRANT_TYPE, "grant_type");
+			}
+
 			OAuth2AccessTokenAuthenticationToken accessTokenAuthentication =
 					(OAuth2AccessTokenAuthenticationToken) this.authenticationManager.authenticate(authorizationGrantAuthentication);
 			sendAccessTokenResponse(response, accessTokenAuthentication.getAccessToken());
@@ -161,7 +174,7 @@ private void sendErrorResponse(HttpServletResponse response, OAuth2Error error)
 		this.errorHttpResponseConverter.write(error, null, httpResponse);
 	}
 
-	private static OAuth2AuthenticationException throwError(String errorCode, String parameterName) {
+	private static void throwError(String errorCode, String parameterName) {
 		OAuth2Error error = new OAuth2Error(errorCode, "OAuth 2.0 Parameter: " + parameterName,
 				"https://tools.ietf.org/html/rfc6749#section-5.2");
 		throw new OAuth2AuthenticationException(error);
@@ -214,4 +227,39 @@ public Authentication convert(HttpServletRequest request) {
 					new OAuth2AuthorizationCodeAuthenticationToken(code, clientId, redirectUri);
 		}
 	}
+
+	/**
+	 * Validates that client is authenticated by {@link OAuth2ClientAuthenticationFilter}
+	 *
+	 * @see OAuth2ClientAuthenticationToken
+	 * @see OAuth2ClientAuthenticationFilter
+	 * @see <a target="_blank" href="https://tools.ietf.org/html/rfc6749#section-4.4">Section 4.4 Client Credentials Grant</a>
+	 */
+	private static class ClientCredentialsAuthenticationConverter implements Converter<HttpServletRequest, Authentication> {
+
+		private static final String SCOPE_PARAMETER_NAME = OAuth2ParameterNames.SCOPE;
+		private final OAuth2ScopeParser scopesParser = new OAuth2ScopeParser();
+
+		@Override
+		public Authentication convert(HttpServletRequest request) {
+			final Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+			final OAuth2ClientAuthenticationToken clientAuthenticationToken = (OAuth2ClientAuthenticationToken) authentication;
+
+			// "scope" is optional, see https://tools.ietf.org/html/rfc6749#section-4.4.2 and https://tools.ietf.org/html/rfc6749#section-3.3
+			String scopeParameter = request.getParameter(SCOPE_PARAMETER_NAME);
+			if (StringUtils.isEmpty(scopeParameter)) {
+				return new OAuth2ClientCredentialsAuthenticationToken(clientAuthenticationToken);
+			}
+
+			Set<String> requestedScopes = null;
+			try {
+				requestedScopes = scopesParser.parse(scopeParameter);
+			}
+			catch (OAuth2ScopeParser.InvalidScopeFormatException e) {
+				throwError(OAuth2ErrorCodes.INVALID_SCOPE, "scope");
+			}
+
+			return new OAuth2ClientCredentialsAuthenticationToken(clientAuthenticationToken, requestedScopes);
+		}
+	}
 }