DefaultServerOAuth2AuthorizationRequestResolver requireProofKey support

rwinch · rwinch · commit 0ed7b18f4238 · 2025-01-17T17:26:46.000-06:00
When requireProofKey=true, DefaultServerOAuth2AuthorizationRequestResolver enables PKCE support. Issue gh-16382
diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/server/DefaultServerOAuth2AuthorizationRequestResolver.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/server/DefaultServerOAuth2AuthorizationRequestResolver.java
@@ -196,7 +196,8 @@ private OAuth2AuthorizationRequest.Builder getBuilder(ClientRegistration clientR
 				// value.
 				applyNonce(builder);
 			}
-			if (ClientAuthenticationMethod.NONE.equals(clientRegistration.getClientAuthenticationMethod())) {
+			if (ClientAuthenticationMethod.NONE.equals(clientRegistration.getClientAuthenticationMethod())
+					|| clientRegistration.getClientSettings().isRequireProofKey()) {
 				DEFAULT_PKCE_APPLIER.accept(builder);
 			}
 			return builder;
diff --git a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/server/DefaultServerOAuth2AuthorizationRequestResolverTests.java b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/server/DefaultServerOAuth2AuthorizationRequestResolverTests.java
@@ -27,6 +27,7 @@
 import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
 import org.springframework.mock.web.server.MockServerWebExchange;
 import org.springframework.security.oauth2.client.registration.ClientRegistration;
+import org.springframework.security.oauth2.client.registration.ClientSettings;
 import org.springframework.security.oauth2.client.registration.ReactiveClientRegistrationRepository;
 import org.springframework.security.oauth2.client.registration.TestClientRegistrations;
 import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestCustomizers;
@@ -169,6 +170,20 @@ public void resolveWhenAuthorizationRequestApplyPkceToSpecificConfidentialClient
 		assertPkceNotApplied(request, registration2);
 	}
 
+	@Test
+	void resolveWhenRequireProofKeyTrueThenPkceEnabled() {
+		ClientSettings pkceEnabled = ClientSettings.builder().requireProofKey(true).build();
+		ClientRegistration clientWithPkceEnabled = TestClientRegistrations.clientRegistration()
+			.clientSettings(pkceEnabled)
+			.build();
+		given(this.clientRegistrationRepository.findByRegistrationId(any()))
+			.willReturn(Mono.just(clientWithPkceEnabled));
+
+		OAuth2AuthorizationRequest request = resolve(
+				"/oauth2/authorization/" + clientWithPkceEnabled.getRegistrationId());
+		assertPkceApplied(request, clientWithPkceEnabled);
+	}
+
 	private void assertPkceApplied(OAuth2AuthorizationRequest authorizationRequest,
 			ClientRegistration clientRegistration) {
 		assertThat(authorizationRequest.getAdditionalParameters()).containsKey(PkceParameterNames.CODE_CHALLENGE);

Original file line number	Diff line number	Diff line change
`@@ -196,7 +196,8 @@ private OAuth2AuthorizationRequest.Builder getBuilder(ClientRegistration clientR`
`196`	`196`	`// value.`
`197`	`197`	`applyNonce(builder);`
`198`	`198`	`}`
`199`		`- if (ClientAuthenticationMethod.NONE.equals(clientRegistration.getClientAuthenticationMethod())) {`
	`199`	`+ if (ClientAuthenticationMethod.NONE.equals(clientRegistration.getClientAuthenticationMethod())`
	`200`	`+ \|\| clientRegistration.getClientSettings().isRequireProofKey()) {`
`200`	`201`	`DEFAULT_PKCE_APPLIER.accept(builder);`
`201`	`202`	`}`
`202`	`203`	`return builder;`