Polish gh-88

Author: jgrandja

config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2AuthorizationServerConfigurer.java

@@ -19,9 +19,11 @@
 import org.springframework.beans.factory.NoUniqueBeanDefinitionException;
 import org.springframework.context.ApplicationContext;
 import org.springframework.http.HttpMethod;
+import org.springframework.http.HttpStatus;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
+import org.springframework.security.config.annotation.web.configurers.ExceptionHandlingConfigurer;
 import org.springframework.security.oauth2.server.authorization.InMemoryOAuth2AuthorizationService;
 import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
 import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeAuthenticationProvider;
@@ -32,6 +34,7 @@
 import org.springframework.security.oauth2.server.authorization.web.OAuth2ClientAuthenticationFilter;
 import org.springframework.security.oauth2.server.authorization.web.OAuth2TokenEndpointFilter;
 import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
+import org.springframework.security.web.authentication.HttpStatusEntryPoint;
 import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 import org.springframework.util.Assert;
@@ -89,12 +92,22 @@ public void init(B builder) {
 				new OAuth2AuthorizationCodeAuthenticationProvider(
 						getRegisteredClientRepository(builder),
 						getAuthorizationService(builder));
-
-		OAuth2ClientCredentialsAuthenticationProvider clientCredentialsAuthenticationProvider
-				= new OAuth2ClientCredentialsAuthenticationProvider();
-
 		builder.authenticationProvider(postProcess(authorizationCodeAuthenticationProvider));
+
+		OAuth2ClientCredentialsAuthenticationProvider clientCredentialsAuthenticationProvider =
+				new OAuth2ClientCredentialsAuthenticationProvider(
+						getAuthorizationService(builder));
 		builder.authenticationProvider(postProcess(clientCredentialsAuthenticationProvider));
+
+		ExceptionHandlingConfigurer<B> exceptionHandling = builder.getConfigurer(ExceptionHandlingConfigurer.class);
+		if (exceptionHandling != null) {
+			// Register the default AuthenticationEntryPoint for the token endpoint
+			exceptionHandling.defaultAuthenticationEntryPointFor(
+					new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED),
+					new AntPathRequestMatcher(
+							OAuth2TokenEndpointFilter.DEFAULT_TOKEN_ENDPOINT_URI,
+							HttpMethod.POST.name()));
+		}
 	}
 
 	@Override

core/src/main/java/org/springframework/security/oauth2/server/authorization/OAuth2Authorization.java

@@ -210,7 +210,6 @@ public Builder attributes(Consumer<Map<String, Object>> attributesConsumer) {
 		 */
 		public OAuth2Authorization build() {
 			Assert.hasText(this.principalName, "principalName cannot be empty");
-			Assert.notNull(this.attributes.get(OAuth2AuthorizationAttributeNames.CODE), "authorization code cannot be null");
 
 			OAuth2Authorization authorization = new OAuth2Authorization();
 			authorization.registeredClientId = this.registeredClientId;

core/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2ClientCredentialsAuthenticationProvider.java

@@ -15,11 +15,6 @@
  */
 package org.springframework.security.oauth2.server.authorization.authentication;
 
-import java.time.Instant;
-import java.time.temporal.ChronoUnit;
-import java.util.Base64;
-import java.util.Set;
-
 import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
@@ -29,53 +24,82 @@
 import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
 import org.springframework.security.oauth2.core.OAuth2Error;
 import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
+import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
+import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
+import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
+import org.springframework.util.Assert;
+import org.springframework.util.CollectionUtils;
+
+import java.time.Instant;
+import java.time.temporal.ChronoUnit;
+import java.util.Base64;
+import java.util.LinkedHashSet;
+import java.util.Set;
+import java.util.stream.Collectors;
 
 /**
  * An {@link AuthenticationProvider} implementation for the OAuth 2.0 Client Credentials Grant.
  *
  * @author Alexey Nesterov
  * @since 0.0.1
  * @see OAuth2ClientCredentialsAuthenticationToken
+ * @see OAuth2AccessTokenAuthenticationToken
+ * @see OAuth2AuthorizationService
  * @see <a target="_blank" href="https://tools.ietf.org/html/rfc6749#section-4.4">Section 4.4 Client Credentials Grant</a>
  * @see <a target="_blank" href="https://tools.ietf.org/html/rfc6749#section-4.4.2">Section 4.4.2 Access Token Request</a>
  */
-
 public class OAuth2ClientCredentialsAuthenticationProvider implements AuthenticationProvider {
-
+	private final OAuth2AuthorizationService authorizationService;
 	private final StringKeyGenerator accessTokenGenerator = new Base64StringKeyGenerator(Base64.getUrlEncoder());
 
+	/**
+	 * Constructs an {@code OAuth2ClientCredentialsAuthenticationProvider} using the provided parameters.
+	 *
+	 * @param authorizationService the authorization service
+	 */
+	public OAuth2ClientCredentialsAuthenticationProvider(OAuth2AuthorizationService authorizationService) {
+		Assert.notNull(authorizationService, "authorizationService cannot be null");
+		this.authorizationService = authorizationService;
+	}
+
 	@Override
 	public Authentication authenticate(Authentication authentication) throws AuthenticationException {
-		OAuth2ClientCredentialsAuthenticationToken clientCredentialsAuthenticationToken =
+		OAuth2ClientCredentialsAuthenticationToken clientCredentialsAuthentication =
 				(OAuth2ClientCredentialsAuthenticationToken) authentication;
 
 		OAuth2ClientAuthenticationToken clientPrincipal = null;
-		if (OAuth2ClientAuthenticationToken.class.isAssignableFrom(clientCredentialsAuthenticationToken.getPrincipal().getClass())) {
-			clientPrincipal = (OAuth2ClientAuthenticationToken) clientCredentialsAuthenticationToken.getPrincipal();
+		if (OAuth2ClientAuthenticationToken.class.isAssignableFrom(clientCredentialsAuthentication.getPrincipal().getClass())) {
+			clientPrincipal = (OAuth2ClientAuthenticationToken) clientCredentialsAuthentication.getPrincipal();
 		}
-
 		if (clientPrincipal == null || !clientPrincipal.isAuthenticated()) {
 			throw new OAuth2AuthenticationException(new OAuth2Error(OAuth2ErrorCodes.INVALID_CLIENT));
 		}
+		RegisteredClient registeredClient = clientPrincipal.getRegisteredClient();
 
-		Set<String> clientScopes = clientPrincipal.getRegisteredClient().getScopes();
-		Set<String> requestedScopes = clientCredentialsAuthenticationToken.getScopes();
-		if (!clientScopes.containsAll(requestedScopes)) {
-			throw new OAuth2AuthenticationException(new OAuth2Error(OAuth2ErrorCodes.INVALID_SCOPE));
-		}
-
-		if (requestedScopes == null || requestedScopes.isEmpty()) {
-			requestedScopes = clientScopes;
+		Set<String> scopes = registeredClient.getScopes();		// Default to configured scopes
+		if (!CollectionUtils.isEmpty(clientCredentialsAuthentication.getScopes())) {
+			Set<String> unauthorizedScopes = clientCredentialsAuthentication.getScopes().stream()
+					.filter(requestedScope -> !registeredClient.getScopes().contains(requestedScope))
+					.collect(Collectors.toSet());
+			if (!CollectionUtils.isEmpty(unauthorizedScopes)) {
+				throw new OAuth2AuthenticationException(new OAuth2Error(OAuth2ErrorCodes.INVALID_SCOPE));
+			}
+			scopes = new LinkedHashSet<>(clientCredentialsAuthentication.getScopes());
 		}
 
 		String tokenValue = this.accessTokenGenerator.generateKey();
 		Instant issuedAt = Instant.now();
 		Instant expiresAt = issuedAt.plus(1, ChronoUnit.HOURS);		// TODO Allow configuration for access token lifespan
 		OAuth2AccessToken accessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER,
-				tokenValue, issuedAt, expiresAt, requestedScopes);
+				tokenValue, issuedAt, expiresAt, scopes);
+
+		OAuth2Authorization authorization = OAuth2Authorization.withRegisteredClient(registeredClient)
+				.principalName(clientPrincipal.getName())
+				.accessToken(accessToken)
+				.build();
+		this.authorizationService.save(authorization);
 
-		return new OAuth2AccessTokenAuthenticationToken(
-				clientPrincipal.getRegisteredClient(), clientPrincipal, accessToken);
+		return new OAuth2AccessTokenAuthenticationToken(registeredClient, clientPrincipal, accessToken);
 	}
 
 	@Override

core/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2ClientCredentialsAuthenticationToken.java

@@ -13,55 +13,69 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-
 package org.springframework.security.oauth2.server.authorization.authentication;
 
-import java.util.Collections;
-import java.util.Set;
-
 import org.springframework.security.authentication.AbstractAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.oauth2.server.authorization.Version;
 import org.springframework.util.Assert;
 
+import java.util.Collections;
+import java.util.LinkedHashSet;
+import java.util.Set;
+
 /**
  * An {@link Authentication} implementation used for the OAuth 2.0 Client Credentials Grant.
  *
  * @author Alexey Nesterov
  * @since 0.0.1
- * @see Authentication
+ * @see AbstractAuthenticationToken
  * @see OAuth2ClientCredentialsAuthenticationProvider
+ * @see OAuth2ClientAuthenticationToken
  */
 public class OAuth2ClientCredentialsAuthenticationToken extends AbstractAuthenticationToken {
-
 	private static final long serialVersionUID = Version.SERIAL_VERSION_UID;
-
 	private final Authentication clientPrincipal;
 	private final Set<String> scopes;
 
+	/**
+	 * Constructs an {@code OAuth2ClientCredentialsAuthenticationToken} using the provided parameters.
+	 *
+	 * @param clientPrincipal the authenticated client principal
+	 */
+	public OAuth2ClientCredentialsAuthenticationToken(Authentication clientPrincipal) {
+		this(clientPrincipal, Collections.emptySet());
+	}
+
+	/**
+	 * Constructs an {@code OAuth2ClientCredentialsAuthenticationToken} using the provided parameters.
+	 *
+	 * @param clientPrincipal the authenticated client principal
+	 * @param scopes the requested scope(s)
+	 */
 	public OAuth2ClientCredentialsAuthenticationToken(Authentication clientPrincipal, Set<String> scopes) {
 		super(Collections.emptyList());
 		Assert.notNull(clientPrincipal, "clientPrincipal cannot be null");
 		Assert.notNull(scopes, "scopes cannot be null");
 		this.clientPrincipal = clientPrincipal;
-		this.scopes = scopes;
+		this.scopes = Collections.unmodifiableSet(new LinkedHashSet<>(scopes));
 	}
 
-	@SuppressWarnings("unchecked")
-	public OAuth2ClientCredentialsAuthenticationToken(OAuth2ClientAuthenticationToken clientPrincipal) {
-		this(clientPrincipal, Collections.EMPTY_SET);
+	@Override
+	public Object getPrincipal() {
+		return this.clientPrincipal;
 	}
 
 	@Override
 	public Object getCredentials() {
 		return "";
 	}
 
-	@Override
-	public Object getPrincipal() {
-		return this.clientPrincipal;
-	}
-
+	/**
+	 * Returns the requested scope(s).
+	 *
+	 * @return the requested scope(s), or an empty {@code Set} if not available
+	 */
 	public Set<String> getScopes() {
 		return this.scopes;
 	}

core/src/main/java/org/springframework/security/oauth2/server/authorization/web/DelegatingAuthorizationGrantAuthenticationConverter.java

@@ -13,45 +13,52 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-
 package org.springframework.security.oauth2.server.authorization.web;
 
-import javax.servlet.http.HttpServletRequest;
-import java.util.Collections;
-import java.util.Map;
-
 import org.springframework.core.convert.converter.Converter;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.oauth2.core.AuthorizationGrantType;
 import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
 import org.springframework.util.Assert;
 import org.springframework.util.StringUtils;
 
+import javax.servlet.http.HttpServletRequest;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
+
 /**
- * A {@link Converter} that delegates actual conversion to one of the provided converters based on grant_type param of a request.
- * Returns null is grant type is not specified or not supported.
+ * A {@link Converter} that selects (and delegates) to one of the internal {@code Map} of {@link Converter}'s
+ * using the {@link OAuth2ParameterNames#GRANT_TYPE} request parameter.
  *
  * @author Alexey Nesterov
  * @since 0.0.1
  */
 public final class DelegatingAuthorizationGrantAuthenticationConverter implements Converter<HttpServletRequest, Authentication> {
-
 	private final Map<AuthorizationGrantType, Converter<HttpServletRequest, Authentication>> converters;
 
-	public DelegatingAuthorizationGrantAuthenticationConverter(Map<AuthorizationGrantType, Converter<HttpServletRequest, Authentication>> converters) {
+	/**
+	 * Constructs a {@code DelegatingAuthorizationGrantAuthenticationConverter} using the provided parameters.
+	 *
+	 * @param converters a {@code Map} of {@link Converter}(s)
+	 */
+	public DelegatingAuthorizationGrantAuthenticationConverter(
+			Map<AuthorizationGrantType, Converter<HttpServletRequest, Authentication>> converters) {
 		Assert.notEmpty(converters, "converters cannot be empty");
-
-		this.converters = Collections.unmodifiableMap(converters);
+		this.converters = Collections.unmodifiableMap(new HashMap<>(converters));
 	}
 
 	@Override
 	public Authentication convert(HttpServletRequest request) {
+		Assert.notNull(request, "request cannot be null");
+
 		String grantType = request.getParameter(OAuth2ParameterNames.GRANT_TYPE);
 		if (StringUtils.isEmpty(grantType)) {
 			return null;
 		}
 
-		Converter<HttpServletRequest, Authentication> converter = this.converters.get(new AuthorizationGrantType(grantType));
+		Converter<HttpServletRequest, Authentication> converter =
+				this.converters.get(new AuthorizationGrantType(grantType));
 		if (converter == null) {
 			return null;
 		}