spring-projects
diff --git a/‎oauth2-authorization-server/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OidcClientRegistrationEndpointConfigurer.java
+21-3 b/‎oauth2-authorization-server/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OidcClientRegistrationEndpointConfigurer.java
+21-3
diff --git a/‎oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/core/oidc/OidcClientMetadataClaimAccessor.java
+21 b/‎oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/core/oidc/OidcClientMetadataClaimAccessor.java
+21
diff --git a/‎oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/core/oidc/OidcClientMetadataClaimNames.java
+12 b/‎oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/core/oidc/OidcClientMetadataClaimNames.java
+12
diff --git a/‎oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/core/oidc/OidcClientRegistration.java
+20 b/‎oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/core/oidc/OidcClientRegistration.java
+20
diff --git a/‎oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/oidc/authentication/OidcAuthenticationProviderUtils.java
+53-1 b/‎oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/oidc/authentication/OidcAuthenticationProviderUtils.java
+53-1
diff --git a/‎oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/oidc/authentication/OidcClientConfigurationAuthenticationProvider.java
+128 b/‎oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/oidc/authentication/OidcClientConfigurationAuthenticationProvider.java
+128
@@ -20,10 +20,13 @@
 import org.springframework.security.config.annotation.ObjectPostProcessor;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.oauth2.server.authorization.config.ProviderSettings;
+import org.springframework.security.oauth2.server.authorization.oidc.authentication.OidcClientConfigurationAuthenticationProvider;
 import org.springframework.security.oauth2.server.authorization.oidc.authentication.OidcClientRegistrationAuthenticationProvider;
+import org.springframework.security.oauth2.server.authorization.oidc.web.OidcClientConfigurationEndpointFilter;
 import org.springframework.security.oauth2.server.authorization.oidc.web.OidcClientRegistrationEndpointFilter;
 import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+import org.springframework.security.web.util.matcher.OrRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 
 /**
@@ -47,14 +50,24 @@ public final class OidcClientRegistrationEndpointConfigurer extends AbstractOAut
 	@Override
 	<B extends HttpSecurityBuilder<B>> void init(B builder) {
 		ProviderSettings providerSettings = OAuth2ConfigurerUtils.getProviderSettings(builder);
-		this.requestMatcher = new AntPathRequestMatcher(
-				providerSettings.getOidcClientRegistrationEndpoint(), HttpMethod.POST.name());
+		this.requestMatcher = new OrRequestMatcher(
+				new AntPathRequestMatcher(providerSettings.getOidcClientRegistrationEndpoint(), HttpMethod.POST.name()),
+				new AntPathRequestMatcher(providerSettings.getOidcClientRegistrationEndpoint(), HttpMethod.GET.name())
+		);
 
 		OidcClientRegistrationAuthenticationProvider oidcClientRegistrationAuthenticationProvider =
 				new OidcClientRegistrationAuthenticationProvider(
 						OAuth2ConfigurerUtils.getRegisteredClientRepository(builder),
-						OAuth2ConfigurerUtils.getAuthorizationService(builder));
+						OAuth2ConfigurerUtils.getAuthorizationService(builder),
+						OAuth2ConfigurerUtils.getJwtEncoder(builder),
+						providerSettings);
+		OidcClientConfigurationAuthenticationProvider oidcClientConfigurationAuthenticationProvider =
+				new OidcClientConfigurationAuthenticationProvider(
+						OAuth2ConfigurerUtils.getRegisteredClientRepository(builder),
+						OAuth2ConfigurerUtils.getAuthorizationService(builder),
+						providerSettings);
 		builder.authenticationProvider(postProcess(oidcClientRegistrationAuthenticationProvider));
+		builder.authenticationProvider(postProcess(oidcClientConfigurationAuthenticationProvider));
 	}
 
 	@Override
@@ -66,7 +79,12 @@ <B extends HttpSecurityBuilder<B>> void configure(B builder) {
 				new OidcClientRegistrationEndpointFilter(
 						authenticationManager,
 						providerSettings.getOidcClientRegistrationEndpoint());
+		OidcClientConfigurationEndpointFilter oidcClientConfigurationEndpointFilter =
+				new OidcClientConfigurationEndpointFilter(
+						authenticationManager,
+						providerSettings.getOidcClientRegistrationEndpoint());
 		builder.addFilterAfter(postProcess(oidcClientRegistrationEndpointFilter), FilterSecurityInterceptor.class);
+		builder.addFilterAfter(postProcess(oidcClientConfigurationEndpointFilter), FilterSecurityInterceptor.class);
 	}
 
 	@Override
 
@@ -15,6 +15,7 @@
  */
 package org.springframework.security.oauth2.core.oidc;
 
+import java.net.URL;
 import java.time.Instant;
 import java.util.List;
 
@@ -134,4 +135,24 @@ default String getIdTokenSignedResponseAlgorithm() {
 		return getClaimAsString(OidcClientMetadataClaimNames.ID_TOKEN_SIGNED_RESPONSE_ALG);
 	}
 
+	/**
+	 * Returns the Registration Access Token that can be used at the Client Configuration Endpoint.
+	 *
+	 * @return the Registration Access Token that can be used at the Client Configuration Endpoint
+	 * @since 0.2.1
+	 */
+	default String getRegistrationAccessToken() {
+		return getClaimAsString(OidcClientMetadataClaimNames.REGISTRATION_ACCESS_TOKEN);
+	}
+
+	/**
+	 * Returns the {@code URL} of the OAuth 2.0 Client Configuration Endpoint.
+	 *
+	 * @return the {@code URL} of the OAuth 2.0 Client Configuration Endpoint
+	 * @since 0.2.1
+	 */
+	default URL getRegistrationClientUri() {
+		return getClaimAsURL(OidcClientMetadataClaimNames.REGISTRATION_CLIENT_URI);
+	}
+
 }
@@ -83,4 +83,16 @@ public interface OidcClientMetadataClaimNames {
 	 */
 	String ID_TOKEN_SIGNED_RESPONSE_ALG = "id_token_signed_response_alg";
 
+	/**
+	 * {@code registration_access_token} - Registration Access Token that can be used at the Client Configuration Endpoint to perform subsequent operations upon the Client registration
+	 * @since 0.2.1
+	 */
+	String REGISTRATION_ACCESS_TOKEN = "registration_access_token";
+
+	/**
+	 * {@code registration_client_uri} - the {@code URL} of the OAuth 2.0 Client Configuration Endpoint
+	 * @since 0.2.1
+	 */
+	String REGISTRATION_CLIENT_URI = "registration_client_uri";
+
 }
@@ -251,6 +251,26 @@ public Builder idTokenSignedResponseAlgorithm(String idTokenSignedResponseAlgori
 			return claim(OidcClientMetadataClaimNames.ID_TOKEN_SIGNED_RESPONSE_ALG, idTokenSignedResponseAlgorithm);
 		}
 
+		/**
+		 * Sets the Registration Access Token that can be used at the Client Configuration Endpoint to perform subsequent operations upon the Client registration, OPTIONAL.
+		 *
+		 * @param registrationAccessToken the Registration Access Token that can be used at the Client Configuration Endpoint to perform subsequent operations upon the Client registration
+		 * @return the {@link Builder} for further configuration
+		 */
+		public Builder registrationAccessToken(String registrationAccessToken) {
+			return claim(OidcClientMetadataClaimNames.REGISTRATION_ACCESS_TOKEN, registrationAccessToken);
+		}
+
+		/**
+		 * Sets the {@code URL} of the OAuth 2.0 Client Configuration Endpoint, OPTIONAL.
+		 *
+		 * @param registrationClientUri the {@code URL} of the OAuth 2.0 Client Configuration Endpoint
+		 * @return the {@link Builder} for further configuration
+		 */
+		public Builder registrationClientUri(String registrationClientUri) {
+			return claim(OidcClientMetadataClaimNames.REGISTRATION_CLIENT_URI, registrationClientUri);
+		}
+
 		/**
 		 * Sets the claim.
 		 *
 
@@ -15,16 +15,26 @@
  */
 package org.springframework.security.oauth2.server.authorization.oidc.authentication;
 
+import org.springframework.lang.Nullable;
 import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.oauth2.core.AbstractOAuth2Token;
+import org.springframework.security.oauth2.core.AuthorizationGrantType;
+import org.springframework.security.oauth2.core.OAuth2AuthorizationCode;
 import org.springframework.security.oauth2.core.OAuth2RefreshToken;
+import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationResponseType;
+import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
+import org.springframework.security.oauth2.core.oidc.OidcClientRegistration;
 import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
-import org.springframework.security.oauth2.core.OAuth2AuthorizationCode;
+import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
+import org.springframework.util.CollectionUtils;
+import org.springframework.util.StringUtils;
+import org.springframework.web.util.UriComponentsBuilder;
 
 /**
  * Utility methods for the OpenID Connect 1.0 {@link AuthenticationProvider}'s.
  *
  * @author Joe Grandja
+ * @author Ovidiu Popa
  * @since 0.1.1
  */
 final class OidcAuthenticationProviderUtils {
@@ -60,4 +70,46 @@ static <T extends AbstractOAuth2Token> OAuth2Authorization invalidate(
 
 		return authorizationBuilder.build();
 	}
+
+	static String registrationClientUri(String issuer, String oidcClientRegistrationEndpoint, String clientId){
+		return UriComponentsBuilder.fromUriString(issuer)
+				.path(oidcClientRegistrationEndpoint)
+				.queryParam(OAuth2ParameterNames.CLIENT_ID, clientId).toUriString();
+	}
+
+	static OidcClientRegistration convert(RegisteredClient registeredClient, String registrationClientUri,
+			@Nullable String registrationAccessToken) {
+		// @formatter:off
+		OidcClientRegistration.Builder builder = OidcClientRegistration.builder()
+				.clientId(registeredClient.getClientId())
+				.clientIdIssuedAt(registeredClient.getClientIdIssuedAt())
+				.clientSecret(registeredClient.getClientSecret())
+				.clientName(registeredClient.getClientName());
+
+		builder.redirectUris(redirectUris ->
+				redirectUris.addAll(registeredClient.getRedirectUris()));
+
+		builder.grantTypes(grantTypes ->
+				registeredClient.getAuthorizationGrantTypes().forEach(authorizationGrantType ->
+						grantTypes.add(authorizationGrantType.getValue())));
+
+		if (registeredClient.getAuthorizationGrantTypes().contains(AuthorizationGrantType.AUTHORIZATION_CODE)) {
+			builder.responseType(OAuth2AuthorizationResponseType.CODE.getValue());
+		}
+
+		if (!CollectionUtils.isEmpty(registeredClient.getScopes())) {
+			builder.scopes(scopes ->
+					scopes.addAll(registeredClient.getScopes()));
+		}
+
+		builder
+				.tokenEndpointAuthenticationMethod(registeredClient.getClientAuthenticationMethods().iterator().next().getValue())
+				.idTokenSignedResponseAlgorithm(registeredClient.getTokenSettings().getIdTokenSignatureAlgorithm().getName())
+				.registrationClientUri(registrationClientUri);
+		if (StringUtils.hasText(registrationAccessToken)) {
+			builder.registrationAccessToken(registrationAccessToken);
+		}
+		return builder.build();
+		// @formatter:on
+	}
 }
@@ -0,0 +1,128 @@
+/*
+ * Copyright 2020-2021 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.oauth2.server.authorization.oidc.authentication;
+
+import java.util.Collection;
+import java.util.Map;
+
+import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.oauth2.core.OAuth2AccessToken;
+import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
+import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
+import org.springframework.security.oauth2.core.OAuth2TokenType;
+import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
+import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
+import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
+import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
+import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
+import org.springframework.security.oauth2.server.authorization.config.ProviderSettings;
+import org.springframework.security.oauth2.server.resource.authentication.AbstractOAuth2TokenAuthenticationToken;
+import org.springframework.util.Assert;
+
+/**
+ * An {@link AuthenticationProvider} implementation for OpenID Connect Client Configuration 1.0.
+ *
+ * @author Ovidiu Popa
+ * @since 0.2.1
+ * @see RegisteredClientRepository
+ * @see OAuth2AuthorizationService
+ * @see <a href="https://openid.net/specs/openid-connect-registration-1_0.html#ClientConfigurationEndpoint">4. Client Configuration Endpoint</a>
+ */
+public final class OidcClientConfigurationAuthenticationProvider implements AuthenticationProvider {
+
+	private static final String DEFAULT_AUTHORIZED_SCOPE = "client.read";
+
+	private final RegisteredClientRepository registeredClientRepository;
+	private final OAuth2AuthorizationService authorizationService;
+	private final ProviderSettings providerSettings;
+
+	/**
+	 * Constructs an {@code OidcClientConfigurationAuthenticationProvider} using the provided parameters.
+	 *
+	 * @param registeredClientRepository the repository of registered clients
+	 * @param authorizationService       the authorization service
+	 * @param providerSettings           the provider settings
+	 */
+	public OidcClientConfigurationAuthenticationProvider(RegisteredClientRepository registeredClientRepository,
+			OAuth2AuthorizationService authorizationService, ProviderSettings providerSettings) {
+		Assert.notNull(registeredClientRepository, "registeredClientRepository cannot be null");
+		Assert.notNull(authorizationService, "authorizationService cannot be null");
+		Assert.notNull(providerSettings, "providerSettings cannot be null");
+		this.registeredClientRepository = registeredClientRepository;
+		this.authorizationService = authorizationService;
+		this.providerSettings = providerSettings;
+	}
+
+	@Override
+	public Authentication authenticate(Authentication authentication) throws AuthenticationException {
+		OidcClientConfigurationAuthenticationToken clientConfigurationAuthentication =
+				(OidcClientConfigurationAuthenticationToken) authentication;
+
+		// Validate the "registration" access token
+		AbstractOAuth2TokenAuthenticationToken<?> accessTokenAuthentication = null;
+		if (AbstractOAuth2TokenAuthenticationToken.class.isAssignableFrom(clientConfigurationAuthentication.getPrincipal().getClass())) {
+			accessTokenAuthentication = (AbstractOAuth2TokenAuthenticationToken<?>) clientConfigurationAuthentication.getPrincipal();
+		}
+		if (accessTokenAuthentication == null || !accessTokenAuthentication.isAuthenticated()) {
+			throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_TOKEN);
+		}
+
+		String accessTokenValue = accessTokenAuthentication.getToken().getTokenValue();
+
+		OAuth2Authorization authorization = this.authorizationService.findByToken(
+				accessTokenValue, OAuth2TokenType.ACCESS_TOKEN);
+		if (authorization == null) {
+			throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_TOKEN);
+		}
+
+		OAuth2Authorization.Token<OAuth2AccessToken> authorizedAccessToken = authorization.getAccessToken();
+		if (!authorizedAccessToken.isActive()) {
+			throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_TOKEN);
+		}
+
+		if (!isAuthorized(authorizedAccessToken)) {
+			throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INSUFFICIENT_SCOPE);
+		}
+
+		RegisteredClient registeredClient = this.registeredClientRepository
+				.findByClientId(clientConfigurationAuthentication.getClientId());
+
+		if (registeredClient == null) {
+			throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_CLIENT);
+		}
+		if (!registeredClient.getId().equals(authorization.getRegisteredClientId())) {
+			throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_CLIENT);
+		}
+
+		String registrationClientUri = OidcAuthenticationProviderUtils.registrationClientUri(this.providerSettings.getIssuer(), this.providerSettings.getOidcClientRegistrationEndpoint(), registeredClient.getClientId());
+		return new OidcClientConfigurationAuthenticationToken(
+				accessTokenAuthentication, OidcAuthenticationProviderUtils.convert(registeredClient, registrationClientUri, null));
+	}
+
+	@Override
+	public boolean supports(Class<?> authentication) {
+		return OidcClientConfigurationAuthenticationToken.class.isAssignableFrom(authentication);
+	}
+
+	@SuppressWarnings("unchecked")
+	private static boolean isAuthorized(OAuth2Authorization.Token<OAuth2AccessToken> authorizedAccessToken) {
+		Map<String, Object> accessTokenClaims = authorizedAccessToken.getClaims();
+		Object scope =  accessTokenClaims != null ? accessTokenClaims.get(OAuth2ParameterNames.SCOPE) : null;
+		return scope != null && ((Collection<String>) scope).contains(DEFAULT_AUTHORIZED_SCOPE);
+	}
+}