Skip to content

Fix to ensure endpoints distinguish between form and query parameters #1468

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 3 commits into from
Closed

Fix to ensure endpoints distinguish between form and query parameters #1468

wants to merge 3 commits into from

Conversation

gregecho
Copy link

@gregecho gregecho commented Dec 5, 2023

Fix gh-1451, initial implementation of get parameters from body for OAuth2AuthorizationCodeAuthenticationConverter.

@gregecho
Copy link
Author

gregecho commented Dec 5, 2023

@jgrandja , I just modify the OAuth2AuthorizationCodeAuthenticationConverter to use the method getFormParameters in this commit. I'd like to get your input as to the approach for this implementation, then I'll handle the other AuthenticationConverters.
Let me know if you need further clarification on any part of this draft.

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Dec 5, 2023
@gregecho gregecho marked this pull request as draft December 6, 2023 00:28
jgrandja
jgrandja requested changes Dec 8, 2023
View reviewed changes
Copy link
Collaborator

@jgrandja jgrandja left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR @gregecho. Please see review comments.

...ngframework/security/oauth2/server/authorization/web/authentication/OAuth2EndpointUtils.java Outdated
@@ -54,6 +57,49 @@ static MultiValueMap<String, String> getParameters(HttpServletRequest request) {
return parameters;
}

static MultiValueMap<String, String> getFormParameters(HttpServletRequest request) {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This method can be simplified. Given the existing getParameters() method, the only change required to make it function as getFormParameters() is:

...

parameterMap.forEach((key, values) -> {
	if (!request.getQueryString().contains(key) &&	// If not query parameter then it's a form parameter
			values.length > 0) {
		for (String value : values) {
			parameters.add(key, value);
		}
	}
});

...

And for getQueryParameters(), applying if (request.getQueryString().contains(key) ... would work.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks. That's a simple way to implement that.

...erver/authorization/config/annotation/web/configurers/OAuth2AuthorizationCodeGrantTests.java Outdated
@@ -355,7 +356,8 @@ private OAuth2AccessTokenResponse assertTokenRequestReturnsAccessTokenResponse(R
OAuth2Authorization authorization, String tokenEndpointUri) throws Exception {
MvcResult mvcResult = this.mvc.perform(post(tokenEndpointUri)
.params(getTokenRequestParameters(registeredClient, authorization))
.header(HttpHeaders.AUTHORIZATION, getAuthorizationHeader(registeredClient)))
.header(HttpHeaders.AUTHORIZATION, getAuthorizationHeader(registeredClient))
.contentType(MediaType.APPLICATION_FORM_URLENCODED_VALUE))
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please remove all changes where the content type is set in the request as it's redundant. Let's keep the changes in this PR to only what's required for the fix.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reverted all changes for the content type changes.

@jgrandja jgrandja changed the title draft: initial implementation of get parameters from body for OAuth2A… Fix to ensure endpoints distinguish between form and query parameters Dec 8, 2023
@jgrandja jgrandja self-assigned this Dec 8, 2023
@jgrandja jgrandja added type: bug A general bug and removed status: waiting-for-triage An issue we've not yet triaged labels Dec 8, 2023
@jgrandja jgrandja added this to the 0.4.5 milestone Dec 8, 2023
@gregecho
Copy link
Author

@jgrandja ,

I just changed the /oauth2/token endpoints' related converter to distinguish between form and query parameters in this PR as the required in original gh-1451.

Do we need to create a new enhancement ticket for the other endpoints?

@gregecho gregecho requested a review from jgrandja December 11, 2023 08:42
@jgrandja
Copy link
Collaborator

@gregecho

Do we need to create a new enhancement ticket for the other endpoints?

No. Please include the updates to all AuthenticationConverter's. Also, please remove OAuth2EndpointUtils.getParameters() as it's not needed anymore.

Lastly, I noticed some formatting changes, e.g. reorganized imports. Please ensure the only code changes in this PR are related to the fix only. Thank you.

spring-projectsgh-1451:
8942796 
1. Update all AuthenticationConverters with either getFormParameters or getQueryParameters method
2. Remove useless method getParameters
3. Refactor code according to PR's comments
@gregecho
Copy link
Author

@gregecho

Do we need to create a new enhancement ticket for the other endpoints?

No. Please include the updates to all AuthenticationConverter's. Also, please remove OAuth2EndpointUtils.getParameters() as it's not needed anymore.

Lastly, I noticed some formatting changes, e.g. reorganized imports. Please ensure the only code changes in this PR are related to the fix only. Thank you.

Thanks for review the PR. I have updated the PR accordingly.

@gregecho gregecho marked this pull request as ready for review December 18, 2023 00:45
jgrandja added a commit that referenced this pull request Dec 18, 2023
@jgrandja
Polish gh-1468
f0a6a4c
jgrandja added a commit that referenced this pull request Dec 18, 2023
@jgrandja
Additional polish gh-1468
c86ddac
jgrandja added a commit that referenced this pull request Dec 18, 2023
@jgrandja
Fix tests
2aaf612 
Related gh-1468
@jgrandja
Copy link
Collaborator

Thanks for the updates @gregecho.

FYI, I added a polish commit to get this merged before tomorrow's release.

@jgrandja jgrandja closed this Dec 18, 2023
bclozel added a commit to spring-projects/spring-boot that referenced this pull request Dec 19, 2023
@bclozel
Fix authorization server smoke test
c4150df 
Change from spring-projects/spring-authorization-server#1468

See gh-38696
bclozel added a commit to spring-projects/spring-boot that referenced this pull request Dec 19, 2023
@bclozel
Fix authorization server smoke test
29016ef 
Change from spring-projects/spring-authorization-server#1468

See gh-38678
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jgrandja jgrandja Awaiting requested review from jgrandja

Assignees

@jgrandja jgrandja

Labels
type: bug A general bug
Projects
None yet
Milestone
0.4.5
Development

Successfully merging this pull request may close these issues.
3 participants
@gregecho @jgrandja @spring-projects-issues