Implement Client Configuration Endpoint

See: https://openid.net/specs/openid-connect-registration-1_0.html#ClientConfigurationEndpoint

Generate registration_client_uri and registration_access_token when registering a new client (see: https://openid.net/specs/openid-connect-registration-1_0.html#ClientRegistration)

Closes gh-355

Author: ovidiupopa07

oauth2-authorization-server/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OidcClientRegistrationEndpointConfigurer.java

@@ -24,6 +24,7 @@
 import org.springframework.security.oauth2.server.authorization.oidc.web.OidcClientRegistrationEndpointFilter;
 import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+import org.springframework.security.web.util.matcher.OrRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 
 /**
@@ -47,13 +48,17 @@ public final class OidcClientRegistrationEndpointConfigurer extends AbstractOAut
 	@Override
 	<B extends HttpSecurityBuilder<B>> void init(B builder) {
 		ProviderSettings providerSettings = OAuth2ConfigurerUtils.getProviderSettings(builder);
-		this.requestMatcher = new AntPathRequestMatcher(
-				providerSettings.getOidcClientRegistrationEndpoint(), HttpMethod.POST.name());
+		this.requestMatcher = new OrRequestMatcher(
+				new AntPathRequestMatcher(providerSettings.getOidcClientRegistrationEndpoint(), HttpMethod.POST.name()),
+				new AntPathRequestMatcher(providerSettings.getOidcClientRegistrationEndpoint(), HttpMethod.GET.name())
+		);
 
 		OidcClientRegistrationAuthenticationProvider oidcClientRegistrationAuthenticationProvider =
 				new OidcClientRegistrationAuthenticationProvider(
 						OAuth2ConfigurerUtils.getRegisteredClientRepository(builder),
-						OAuth2ConfigurerUtils.getAuthorizationService(builder));
+						OAuth2ConfigurerUtils.getAuthorizationService(builder),
+						OAuth2ConfigurerUtils.getJwtEncoder(builder),
+						providerSettings);
 		builder.authenticationProvider(postProcess(oidcClientRegistrationAuthenticationProvider));
 	}
 

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/core/oidc/OidcClientMetadataClaimAccessor.java

@@ -15,6 +15,7 @@
  */
 package org.springframework.security.oauth2.core.oidc;
 
+import java.net.URL;
 import java.time.Instant;
 import java.util.List;
 
@@ -134,4 +135,24 @@ default String getIdTokenSignedResponseAlgorithm() {
 		return getClaimAsString(OidcClientMetadataClaimNames.ID_TOKEN_SIGNED_RESPONSE_ALG);
 	}
 
+	/**
+	 * Returns the Registration Access Token that can be used at the Client Configuration Endpoint.
+	 *
+	 * @return the Registration Access Token that can be used at the Client Configuration Endpoint
+	 * @since 0.2.1
+	 */
+	default String getRegistrationAccessToken() {
+		return getClaimAsString(OidcClientMetadataClaimNames.REGISTRATION_ACCESS_TOKEN);
+	}
+
+	/**
+	 * Returns the {@code URL} of the OAuth 2.0 Client Configuration Endpoint.
+	 *
+	 * @return the {@code URL} of the OAuth 2.0 Client Configuration Endpoint
+	 * @since 0.2.1
+	 */
+	default URL getRegistrationClientUri() {
+		return getClaimAsURL(OidcClientMetadataClaimNames.REGISTRATION_CLIENT_URI);
+	}
+
 }

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/core/oidc/OidcClientMetadataClaimNames.java

@@ -83,4 +83,16 @@ public interface OidcClientMetadataClaimNames {
 	 */
 	String ID_TOKEN_SIGNED_RESPONSE_ALG = "id_token_signed_response_alg";
 
+	/**
+	 * {@code registration_access_token} - Registration Access Token that can be used at the Client Configuration Endpoint to perform subsequent operations upon the Client registration
+	 * @since 0.2.1
+	 */
+	String REGISTRATION_ACCESS_TOKEN = "registration_access_token";
+
+	/**
+	 * {@code registration_client_uri} - the {@code URL} of the OAuth 2.0 Client Configuration Endpoint
+	 * @since 0.2.1
+	 */
+	String REGISTRATION_CLIENT_URI = "registration_client_uri";
+
 }

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/core/oidc/OidcClientRegistration.java

@@ -251,6 +251,26 @@ public Builder idTokenSignedResponseAlgorithm(String idTokenSignedResponseAlgori
 			return claim(OidcClientMetadataClaimNames.ID_TOKEN_SIGNED_RESPONSE_ALG, idTokenSignedResponseAlgorithm);
 		}
 
+		/**
+		 * Sets the Registration Access Token that can be used at the Client Configuration Endpoint to perform subsequent operations upon the Client registration, OPTIONAL.
+		 *
+		 * @param registrationAccessToken the Registration Access Token that can be used at the Client Configuration Endpoint to perform subsequent operations upon the Client registration
+		 * @return the {@link Builder} for further configuration
+		 */
+		public Builder registrationAccessToken(String registrationAccessToken) {
+			return claim(OidcClientMetadataClaimNames.REGISTRATION_ACCESS_TOKEN, registrationAccessToken);
+		}
+
+		/**
+		 * Sets the {@code URL} of the OAuth 2.0 Client Configuration Endpoint, OPTIONAL.
+		 *
+		 * @param registrationClientUri the {@code URL} of the OAuth 2.0 Client Configuration Endpoint
+		 * @return the {@link Builder} for further configuration
+		 */
+		public Builder registrationClientUri(String registrationClientUri) {
+			return claim(OidcClientMetadataClaimNames.REGISTRATION_CLIENT_URI, registrationClientUri);
+		}
+
 		/**
 		 * Sets the claim.
 		 *

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/oidc/authentication/OidcAuthenticationProviderUtils.java

@@ -15,16 +15,26 @@
  */
 package org.springframework.security.oauth2.server.authorization.oidc.authentication;
 
+import org.springframework.lang.Nullable;
 import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.oauth2.core.AbstractOAuth2Token;
+import org.springframework.security.oauth2.core.AuthorizationGrantType;
+import org.springframework.security.oauth2.core.OAuth2AuthorizationCode;
 import org.springframework.security.oauth2.core.OAuth2RefreshToken;
+import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationResponseType;
+import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
+import org.springframework.security.oauth2.core.oidc.OidcClientRegistration;
 import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
-import org.springframework.security.oauth2.core.OAuth2AuthorizationCode;
+import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
+import org.springframework.util.CollectionUtils;
+import org.springframework.util.StringUtils;
+import org.springframework.web.util.UriComponentsBuilder;
 
 /**
  * Utility methods for the OpenID Connect 1.0 {@link AuthenticationProvider}'s.
  *
  * @author Joe Grandja
+ * @author Ovidiu Popa
  * @since 0.1.1
  */
 final class OidcAuthenticationProviderUtils {
@@ -60,4 +70,46 @@ static <T extends AbstractOAuth2Token> OAuth2Authorization invalidate(
 
 		return authorizationBuilder.build();
 	}
+
+	static String registrationClientUri(String issuer, String oidcClientRegistrationEndpoint, String clientId){
+		return UriComponentsBuilder.fromUriString(issuer)
+				.path(oidcClientRegistrationEndpoint)
+				.queryParam(OAuth2ParameterNames.CLIENT_ID, clientId).toUriString();
+	}
+
+	static OidcClientRegistration convert(RegisteredClient registeredClient, String registrationClientUri,
+			@Nullable String registrationAccessToken) {
+		// @formatter:off
+		OidcClientRegistration.Builder builder = OidcClientRegistration.builder()
+				.clientId(registeredClient.getClientId())
+				.clientIdIssuedAt(registeredClient.getClientIdIssuedAt())
+				.clientSecret(registeredClient.getClientSecret())
+				.clientName(registeredClient.getClientName());
+
+		builder.redirectUris(redirectUris ->
+				redirectUris.addAll(registeredClient.getRedirectUris()));
+
+		builder.grantTypes(grantTypes ->
+				registeredClient.getAuthorizationGrantTypes().forEach(authorizationGrantType ->
+						grantTypes.add(authorizationGrantType.getValue())));
+
+		if (registeredClient.getAuthorizationGrantTypes().contains(AuthorizationGrantType.AUTHORIZATION_CODE)) {
+			builder.responseType(OAuth2AuthorizationResponseType.CODE.getValue());
+		}
+
+		if (!CollectionUtils.isEmpty(registeredClient.getScopes())) {
+			builder.scopes(scopes ->
+					scopes.addAll(registeredClient.getScopes()));
+		}
+
+		builder
+				.tokenEndpointAuthenticationMethod(registeredClient.getClientAuthenticationMethods().iterator().next().getValue())
+				.idTokenSignedResponseAlgorithm(registeredClient.getTokenSettings().getIdTokenSignatureAlgorithm().getName())
+				.registrationClientUri(registrationClientUri);
+		if (StringUtils.hasText(registrationAccessToken)) {
+			builder.registrationAccessToken(registrationAccessToken);
+		}
+		return builder.build();
+		// @formatter:on
+	}
 }

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/oidc/authentication/OidcClientRegistrationAuthenticationConverter.java

@@ -0,0 +1,115 @@
+/*
+ * Copyright 2020-2021 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.oauth2.server.authorization.oidc.authentication;
+
+import java.io.IOException;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.springframework.http.converter.HttpMessageConverter;
+import org.springframework.http.server.ServletServerHttpRequest;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
+import org.springframework.security.oauth2.core.OAuth2Error;
+import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
+import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
+import org.springframework.security.oauth2.core.oidc.OidcClientRegistration;
+import org.springframework.security.oauth2.core.oidc.http.converter.OidcClientRegistrationHttpMessageConverter;
+import org.springframework.security.oauth2.server.authorization.oidc.web.OidcClientRegistrationEndpointFilter;
+import org.springframework.security.web.authentication.AuthenticationConverter;
+import org.springframework.security.web.util.matcher.AndRequestMatcher;
+import org.springframework.security.web.util.matcher.RequestMatcher;
+import org.springframework.util.StringUtils;
+
+/**
+ * Attempts to extract an OpenID Connect Dynamic Client Registration 1.0 Request (or OpenID Connect Client Configuration 1.0 Request) from {@link HttpServletRequest}
+ * for the OIDC Client Registration or Configuration flows and then converts it to
+ * an {@link OidcClientRegistrationAuthenticationToken} used for authenticating the request.
+ *
+ * @author Ovidiu Popa
+ * @since 0.2.1
+ * @see AuthenticationConverter
+ * @see OidcClientRegistrationAuthenticationToken
+ * @see OidcClientRegistrationEndpointFilter
+ */
+public class OidcClientRegistrationAuthenticationConverter implements AuthenticationConverter {
+
+	private final HttpMessageConverter<OidcClientRegistration> clientRegistrationHttpMessageConverter =
+			new OidcClientRegistrationHttpMessageConverter();
+
+	private static final RequestMatcher OIDC_CLIENT_CONFIGURATION_REQUEST_MATCHER = createOidcClientConfigurationRequestMatcher();
+
+	@Override
+	public Authentication convert(HttpServletRequest request) {
+
+
+		Authentication principal = SecurityContextHolder.getContext().getAuthentication();
+
+		if ("POST".equals(request.getMethod())) {
+			return getOidcClientRegistrationAuthentication(request, principal);
+		}
+		if (OIDC_CLIENT_CONFIGURATION_REQUEST_MATCHER.matches(request)) {
+			return getOidcClientConfigurationAuthentication(request, principal);
+		}
+
+		throw new OAuth2AuthenticationException(new OAuth2Error(OAuth2ErrorCodes.INVALID_REQUEST));
+	}
+
+	private OidcClientRegistrationAuthenticationToken getOidcClientConfigurationAuthentication(HttpServletRequest request, Authentication principal) {
+		String clientId = request.getParameter(OAuth2ParameterNames.CLIENT_ID);
+		String[] clientIdParameters = request.getParameterValues(OAuth2ParameterNames.CLIENT_ID);
+		if (!StringUtils.hasText(clientId) || clientIdParameters.length != 1) {
+			throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_CLIENT);
+		}
+		return
+				OidcClientRegistrationAuthenticationToken.with(principal)
+						.clientRegistrationRequest(false)
+						.clientId(clientId)
+						.build();
+	}
+
+	private Authentication getOidcClientRegistrationAuthentication(HttpServletRequest request, Authentication principal) {
+		try {
+			OidcClientRegistration clientRegistration = this.clientRegistrationHttpMessageConverter.read(
+					OidcClientRegistration.class, new ServletServerHttpRequest(request));
+			return
+					OidcClientRegistrationAuthenticationToken.with(principal)
+							.clientRegistrationRequest(true)
+							.clientRegistration(clientRegistration)
+							.build();
+		} catch (IOException ex) {
+			OAuth2Error error = new OAuth2Error(
+					OAuth2ErrorCodes.INVALID_REQUEST,
+					"OpenID Client Registration Error: " + ex.getMessage(),
+					"https://openid.net/specs/openid-connect-registration-1_0.html#RegistrationError");
+			throw new OAuth2AuthenticationException(error);
+		}
+	}
+
+	private static RequestMatcher createOidcClientConfigurationRequestMatcher() {
+		RequestMatcher clientConfigurationRequestGetMatcher = request -> "GET".equals(request.getMethod());
+
+		RequestMatcher clientIdMatcher = request -> {
+			String clientId = request.getParameter(OAuth2ParameterNames.CLIENT_ID);
+			return StringUtils.hasText(clientId);
+		};
+
+		return
+				new AndRequestMatcher(clientConfigurationRequestGetMatcher, clientIdMatcher);
+
+	}
+}