spring-projects
diff --git a/‎oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/PkceParameterBuilder.java
+79 b/‎oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/PkceParameterBuilder.java
+79
diff --git a/‎oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/DefaultOAuth2AuthorizationRequestResolver.java
+31-47 b/‎oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/DefaultOAuth2AuthorizationRequestResolver.java
+31-47
diff --git a/‎oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/server/DefaultServerOAuth2AuthorizationRequestResolver.java
+40-48 b/‎oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/server/DefaultServerOAuth2AuthorizationRequestResolver.java
+40-48
@@ -0,0 +1,79 @@
+/*
+ * Copyright 2002-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.oauth2.client.endpoint;
+
+import org.springframework.security.crypto.keygen.Base64StringKeyGenerator;
+import org.springframework.security.crypto.keygen.StringKeyGenerator;
+import org.springframework.security.oauth2.client.registration.ClientRegistration;
+import org.springframework.security.oauth2.core.AuthorizationGrantType;
+import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
+import org.springframework.security.oauth2.core.endpoint.PkceParameterNames;
+
+import java.nio.charset.StandardCharsets;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.util.Base64;
+import java.util.function.BiConsumer;
+import java.util.function.Consumer;
+
+/**
+ * A {@link Consumer} of {@link OAuth2AuthorizationRequest.Builder} that
+ * adds additional {@link PkceParameterNames PKCE parameters}
+ * for use in the OAuth 2.0 Authorization Request and Access Token Request.
+ *
+ * <p>
+ * The {@link PkceParameterNames#CODE_CHALLENGE} and {@link PkceParameterNames#CODE_CHALLENGE_METHOD}
+ * are added as {@link OAuth2AuthorizationRequest#getAdditionalParameters() additional parameters} in the Authorization Request.
+ * The {@link PkceParameterNames#CODE_VERIFIER} is stored as an {@link OAuth2AuthorizationRequest#getAttributes() attribute}
+ * for use in the Access Token Request.
+ *
+ * @author Stephen Doxsee
+ * @author Kevin Bolduc
+ * @author Joe Grandja
+ * @since 5.2
+ * @see OAuth2AuthorizationRequest.Builder
+ * @see <a target="_blank" href="https://tools.ietf.org/html/rfc7636#section-1.1">Section 1.1 Protocol Flow</a>
+ * @see <a target="_blank" href="https://tools.ietf.org/html/rfc7636#section-4.1">Section 4.1 Client Creates a Code Verifier</a>
+ * @see <a target="_blank" href="https://tools.ietf.org/html/rfc7636#section-4.2">Section 4.2 Client Creates the Code Challenge</a>
+ */
+public final class PkceParameterBuilder implements BiConsumer<OAuth2AuthorizationRequest.Builder, ClientRegistration> {
+	private final StringKeyGenerator codeVerifierGenerator = new Base64StringKeyGenerator(Base64.getUrlEncoder().withoutPadding(), 96);
+
+	@Override
+	public void accept(OAuth2AuthorizationRequest.Builder builder, ClientRegistration clientRegistration) {
+		if (!AuthorizationGrantType.AUTHORIZATION_CODE.equals(clientRegistration.getAuthorizationGrantType())) {
+			return;
+		}
+
+		String codeVerifier = this.codeVerifierGenerator.generateKey();
+		builder.attributes(attrs -> attrs.put(PkceParameterNames.CODE_VERIFIER, codeVerifier));
+		try {
+			String codeChallenge = createCodeChallenge(codeVerifier);
+			builder.additionalParameters(params -> {
+				params.put(PkceParameterNames.CODE_CHALLENGE, codeChallenge);
+				params.put(PkceParameterNames.CODE_CHALLENGE_METHOD, "S256");
+			});
+		} catch (NoSuchAlgorithmException ex) {
+			builder.additionalParameters(params -> params.put(PkceParameterNames.CODE_CHALLENGE, codeVerifier));
+		}
+	}
+
+	private String createCodeChallenge(String codeVerifier) throws NoSuchAlgorithmException {
+		MessageDigest md = MessageDigest.getInstance("SHA-256");
+		byte[] digest = md.digest(codeVerifier.getBytes(StandardCharsets.US_ASCII));
+		return Base64.getUrlEncoder().withoutPadding().encodeToString(digest);
+	}
+}
@@ -17,13 +17,13 @@
 
 import org.springframework.security.crypto.keygen.Base64StringKeyGenerator;
 import org.springframework.security.crypto.keygen.StringKeyGenerator;
+import org.springframework.security.oauth2.client.endpoint.PkceParameterBuilder;
 import org.springframework.security.oauth2.client.registration.ClientRegistration;
 import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
 import org.springframework.security.oauth2.core.AuthorizationGrantType;
 import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
 import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
 import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
-import org.springframework.security.oauth2.core.endpoint.PkceParameterNames;
 import org.springframework.security.web.util.UrlUtils;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 import org.springframework.util.Assert;
@@ -32,12 +32,10 @@
 import org.springframework.web.util.UriComponentsBuilder;
 
 import javax.servlet.http.HttpServletRequest;
-import java.nio.charset.StandardCharsets;
-import java.security.MessageDigest;
-import java.security.NoSuchAlgorithmException;
 import java.util.Base64;
 import java.util.HashMap;
 import java.util.Map;
+import java.util.function.BiConsumer;
 
 /**
  * An implementation of an {@link OAuth2AuthorizationRequestResolver} that attempts to
@@ -53,14 +51,17 @@
  * @since 5.1
  * @see OAuth2AuthorizationRequestResolver
  * @see OAuth2AuthorizationRequestRedirectFilter
+ * @see OAuth2AuthorizationRequest
+ * @see PkceParameterBuilder
  */
 public final class DefaultOAuth2AuthorizationRequestResolver implements OAuth2AuthorizationRequestResolver {
 	private static final String REGISTRATION_ID_URI_VARIABLE_NAME = "registrationId";
 	private static final char PATH_DELIMITER = '/';
 	private final ClientRegistrationRepository clientRegistrationRepository;
 	private final AntPathRequestMatcher authorizationRequestMatcher;
 	private final StringKeyGenerator stateGenerator = new Base64StringKeyGenerator(Base64.getUrlEncoder());
-	private final StringKeyGenerator codeVerifierGenerator = new Base64StringKeyGenerator(Base64.getUrlEncoder().withoutPadding(), 96);
+	private final BiConsumer<OAuth2AuthorizationRequest.Builder, ClientRegistration> pkceParameterBuilder = new PkceParameterBuilder();
+	private BiConsumer<OAuth2AuthorizationRequest.Builder, ClientRegistration> authorizationRequestBuilder;
 
 	/**
 	 * Constructs a {@code DefaultOAuth2AuthorizationRequestResolver} using the provided parameters.
@@ -93,6 +94,18 @@ public OAuth2AuthorizationRequest resolve(HttpServletRequest request, String reg
 		return resolve(request, registrationId, redirectUriAction);
 	}
 
+	/**
+	 * Sets the {@link BiConsumer} that is ultimately supplied with the {@link OAuth2AuthorizationRequest.Builder} instance.
+	 * This provides the ability for the {@code BiConsumer} to mutate the {@link OAuth2AuthorizationRequest} before it is built.
+	 *
+	 * @since 5.2
+	 * @param authorizationRequestBuilder the {@link BiConsumer} that is supplied the {@code OAuth2AuthorizationRequest.Builder} instance
+	 */
+	public void setAuthorizationRequestBuilder(BiConsumer<OAuth2AuthorizationRequest.Builder, ClientRegistration> authorizationRequestBuilder) {
+		Assert.notNull(authorizationRequestBuilder, "authorizationRequestBuilder cannot be null");
+		this.authorizationRequestBuilder = authorizationRequestBuilder;
+	}
+
 	private String getAction(HttpServletRequest request, String defaultAction) {
 		String action = request.getParameter("action");
 		if (action == null) {
@@ -111,17 +124,9 @@ private OAuth2AuthorizationRequest resolve(HttpServletRequest request, String re
 			throw new IllegalArgumentException("Invalid Client Registration with Id: " + registrationId);
 		}
 
-		Map<String, Object> attributes = new HashMap<>();
-		attributes.put(OAuth2ParameterNames.REGISTRATION_ID, clientRegistration.getRegistrationId());
-
 		OAuth2AuthorizationRequest.Builder builder;
 		if (AuthorizationGrantType.AUTHORIZATION_CODE.equals(clientRegistration.getAuthorizationGrantType())) {
 			builder = OAuth2AuthorizationRequest.authorizationCode();
-			if (ClientAuthenticationMethod.NONE.equals(clientRegistration.getClientAuthenticationMethod())) {
-				Map<String, Object> additionalParameters = new HashMap<>();
-				addPkceParameters(attributes, additionalParameters);
-				builder.additionalParameters(additionalParameters);
-			}
 		} else if (AuthorizationGrantType.IMPLICIT.equals(clientRegistration.getAuthorizationGrantType())) {
 			builder = OAuth2AuthorizationRequest.implicit();
 		} else {
@@ -132,16 +137,25 @@ private OAuth2AuthorizationRequest resolve(HttpServletRequest request, String re
 
 		String redirectUriStr = expandRedirectUri(request, clientRegistration, redirectUriAction);
 
-		OAuth2AuthorizationRequest authorizationRequest = builder
+		builder
 				.clientId(clientRegistration.getClientId())
 				.authorizationUri(clientRegistration.getProviderDetails().getAuthorizationUri())
 				.redirectUri(redirectUriStr)
 				.scopes(clientRegistration.getScopes())
 				.state(this.stateGenerator.generateKey())
-				.attributes(attributes)
-				.build();
+				.attributes(attrs -> attrs.put(OAuth2ParameterNames.REGISTRATION_ID, clientRegistration.getRegistrationId()));
 
-		return authorizationRequest;
+		if (AuthorizationGrantType.AUTHORIZATION_CODE.equals(clientRegistration.getAuthorizationGrantType()) &&
+				ClientAuthenticationMethod.NONE.equals(clientRegistration.getClientAuthenticationMethod())) {
+			// Add PKCE parameters for public clients
+			this.pkceParameterBuilder.accept(builder, clientRegistration);
+		}
+
+		if (this.authorizationRequestBuilder != null) {
+			this.authorizationRequestBuilder.accept(builder, clientRegistration);
+		}
+
+		return builder.build();
 	}
 
 	private String resolveRegistrationId(HttpServletRequest request) {
@@ -199,34 +213,4 @@ private static String expandRedirectUri(HttpServletRequest request, ClientRegist
 				.buildAndExpand(uriVariables)
 				.toUriString();
 	}
-
-	/**
-	 * Creates and adds additional PKCE parameters for use in the OAuth 2.0 Authorization and Access Token Requests
-	 *
-	 * @param attributes where {@link PkceParameterNames#CODE_VERIFIER} is stored for the token request
-	 * @param additionalParameters where {@link PkceParameterNames#CODE_CHALLENGE} and, usually,
-	 * {@link PkceParameterNames#CODE_CHALLENGE_METHOD} are added to be used in the authorization request.
-	 *
-	 * @since 5.2
-	 * @see <a target="_blank" href="https://tools.ietf.org/html/rfc7636#section-1.1">1.1.  Protocol Flow</a>
-	 * @see <a target="_blank" href="https://tools.ietf.org/html/rfc7636#section-4.1">4.1.  Client Creates a Code Verifier</a>
-	 * @see <a target="_blank" href="https://tools.ietf.org/html/rfc7636#section-4.2">4.2.  Client Creates the Code Challenge</a>
-	 */
-	private void addPkceParameters(Map<String, Object> attributes, Map<String, Object> additionalParameters) {
-		String codeVerifier = this.codeVerifierGenerator.generateKey();
-		attributes.put(PkceParameterNames.CODE_VERIFIER, codeVerifier);
-		try {
-			String codeChallenge = createCodeChallenge(codeVerifier);
-			additionalParameters.put(PkceParameterNames.CODE_CHALLENGE, codeChallenge);
-			additionalParameters.put(PkceParameterNames.CODE_CHALLENGE_METHOD, "S256");
-		} catch (NoSuchAlgorithmException e) {
-			additionalParameters.put(PkceParameterNames.CODE_CHALLENGE, codeVerifier);
-		}
-	}
-
-	private String createCodeChallenge(String codeVerifier) throws NoSuchAlgorithmException {
-		MessageDigest md = MessageDigest.getInstance("SHA-256");
-		byte[] digest = md.digest(codeVerifier.getBytes(StandardCharsets.US_ASCII));
-		return Base64.getUrlEncoder().withoutPadding().encodeToString(digest);
-	}
 }
@@ -20,13 +20,13 @@
 import org.springframework.http.server.reactive.ServerHttpRequest;
 import org.springframework.security.crypto.keygen.Base64StringKeyGenerator;
 import org.springframework.security.crypto.keygen.StringKeyGenerator;
+import org.springframework.security.oauth2.client.endpoint.PkceParameterBuilder;
 import org.springframework.security.oauth2.client.registration.ClientRegistration;
 import org.springframework.security.oauth2.client.registration.ReactiveClientRegistrationRepository;
 import org.springframework.security.oauth2.core.AuthorizationGrantType;
 import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
 import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
 import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
-import org.springframework.security.oauth2.core.endpoint.PkceParameterNames;
 import org.springframework.security.web.server.util.matcher.PathPatternParserServerWebExchangeMatcher;
 import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher;
 import org.springframework.util.Assert;
@@ -37,12 +37,10 @@
 import org.springframework.web.util.UriComponentsBuilder;
 import reactor.core.publisher.Mono;
 
-import java.nio.charset.StandardCharsets;
-import java.security.MessageDigest;
-import java.security.NoSuchAlgorithmException;
 import java.util.Base64;
 import java.util.HashMap;
 import java.util.Map;
+import java.util.function.BiConsumer;
 
 /**
  * The default implementation of {@link ServerOAuth2AuthorizationRequestResolver}.
@@ -53,6 +51,10 @@
  *
  * @author Rob Winch
  * @since 5.1
+ * @see ServerOAuth2AuthorizationRequestResolver
+ * @see OAuth2AuthorizationRequestRedirectWebFilter
+ * @see OAuth2AuthorizationRequest
+ * @see PkceParameterBuilder
  */
 public class DefaultServerOAuth2AuthorizationRequestResolver
 		implements ServerOAuth2AuthorizationRequestResolver {
@@ -75,7 +77,9 @@ public class DefaultServerOAuth2AuthorizationRequestResolver
 
 	private final StringKeyGenerator stateGenerator = new Base64StringKeyGenerator(Base64.getUrlEncoder());
 
-	private final StringKeyGenerator codeVerifierGenerator = new Base64StringKeyGenerator(Base64.getUrlEncoder().withoutPadding(), 96);
+	private final BiConsumer<OAuth2AuthorizationRequest.Builder, ClientRegistration> pkceParameterBuilder = new PkceParameterBuilder();
+
+	private BiConsumer<OAuth2AuthorizationRequest.Builder, ClientRegistration> authorizationRequestBuilder;
 
 	/**
 	 * Creates a new instance
@@ -117,26 +121,29 @@ public Mono<OAuth2AuthorizationRequest> resolve(ServerWebExchange exchange,
 			.map(clientRegistration -> authorizationRequest(exchange, clientRegistration));
 	}
 
+	/**
+	 * Sets the {@link BiConsumer} that is ultimately supplied with the {@link OAuth2AuthorizationRequest.Builder} instance.
+	 * This provides the ability for the {@code BiConsumer} to mutate the {@link OAuth2AuthorizationRequest} before it is built.
+	 *
+	 * @since 5.2
+	 * @param authorizationRequestBuilder the {@link BiConsumer} that is supplied the {@code OAuth2AuthorizationRequest.Builder} instance
+	 */
+	public void setAuthorizationRequestBuilder(BiConsumer<OAuth2AuthorizationRequest.Builder, ClientRegistration> authorizationRequestBuilder) {
+		Assert.notNull(authorizationRequestBuilder, "authorizationRequestBuilder cannot be null");
+		this.authorizationRequestBuilder = authorizationRequestBuilder;
+	}
+
 	private Mono<ClientRegistration> findByRegistrationId(ServerWebExchange exchange, String clientRegistration) {
 		return this.clientRegistrationRepository.findByRegistrationId(clientRegistration)
 				.switchIfEmpty(Mono.error(() -> new ResponseStatusException(HttpStatus.BAD_REQUEST, "Invalid client registration id")));
 	}
 
 	private OAuth2AuthorizationRequest authorizationRequest(ServerWebExchange exchange,
 			ClientRegistration clientRegistration) {
-		String redirectUriStr = expandRedirectUri(exchange.getRequest(), clientRegistration);
-
-		Map<String, Object> attributes = new HashMap<>();
-		attributes.put(OAuth2ParameterNames.REGISTRATION_ID, clientRegistration.getRegistrationId());
 
 		OAuth2AuthorizationRequest.Builder builder;
 		if (AuthorizationGrantType.AUTHORIZATION_CODE.equals(clientRegistration.getAuthorizationGrantType())) {
 			builder = OAuth2AuthorizationRequest.authorizationCode();
-			if (ClientAuthenticationMethod.NONE.equals(clientRegistration.getClientAuthenticationMethod())) {
-				Map<String, Object> additionalParameters = new HashMap<>();
-				addPkceParameters(attributes, additionalParameters);
-				builder.additionalParameters(additionalParameters);
-			}
 		}
 		else if (AuthorizationGrantType.IMPLICIT.equals(clientRegistration.getAuthorizationGrantType())) {
 			builder = OAuth2AuthorizationRequest.implicit();
@@ -146,13 +153,28 @@ else if (AuthorizationGrantType.IMPLICIT.equals(clientRegistration.getAuthorizat
 					"Invalid Authorization Grant Type (" + clientRegistration.getAuthorizationGrantType().getValue()
 							+ ") for Client Registration with Id: " + clientRegistration.getRegistrationId());
 		}
-		return builder
+
+		String redirectUriStr = expandRedirectUri(exchange.getRequest(), clientRegistration);
+
+		builder
 				.clientId(clientRegistration.getClientId())
 				.authorizationUri(clientRegistration.getProviderDetails().getAuthorizationUri())
-				.redirectUri(redirectUriStr).scopes(clientRegistration.getScopes())
+				.redirectUri(redirectUriStr)
+				.scopes(clientRegistration.getScopes())
 				.state(this.stateGenerator.generateKey())
-				.attributes(attributes)
-				.build();
+				.attributes(attrs -> attrs.put(OAuth2ParameterNames.REGISTRATION_ID, clientRegistration.getRegistrationId()));
+
+		if (AuthorizationGrantType.AUTHORIZATION_CODE.equals(clientRegistration.getAuthorizationGrantType()) &&
+				ClientAuthenticationMethod.NONE.equals(clientRegistration.getClientAuthenticationMethod())) {
+			// Add PKCE parameters for public clients
+			this.pkceParameterBuilder.accept(builder, clientRegistration);
+		}
+
+		if (this.authorizationRequestBuilder != null) {
+			this.authorizationRequestBuilder.accept(builder, clientRegistration);
+		}
+
+		return builder.build();
 	}
 
 	/**
@@ -206,34 +228,4 @@ private static String expandRedirectUri(ServerHttpRequest request, ClientRegistr
 				.buildAndExpand(uriVariables)
 				.toUriString();
 	}
-
-	/**
-	 * Creates and adds additional PKCE parameters for use in the OAuth 2.0 Authorization and Access Token Requests
-	 *
-	 * @param attributes where {@link PkceParameterNames#CODE_VERIFIER} is stored for the token request
-	 * @param additionalParameters where {@link PkceParameterNames#CODE_CHALLENGE} and, usually,
-	 * {@link PkceParameterNames#CODE_CHALLENGE_METHOD} are added to be used in the authorization request.
-	 *
-	 * @since 5.2
-	 * @see <a target="_blank" href="https://tools.ietf.org/html/rfc7636#section-1.1">1.1.  Protocol Flow</a>
-	 * @see <a target="_blank" href="https://tools.ietf.org/html/rfc7636#section-4.1">4.1.  Client Creates a Code Verifier</a>
-	 * @see <a target="_blank" href="https://tools.ietf.org/html/rfc7636#section-4.2">4.2.  Client Creates the Code Challenge</a>
-	 */
-	private void addPkceParameters(Map<String, Object> attributes, Map<String, Object> additionalParameters) {
-		String codeVerifier = this.codeVerifierGenerator.generateKey();
-		attributes.put(PkceParameterNames.CODE_VERIFIER, codeVerifier);
-		try {
-			String codeChallenge = createCodeChallenge(codeVerifier);
-			additionalParameters.put(PkceParameterNames.CODE_CHALLENGE, codeChallenge);
-			additionalParameters.put(PkceParameterNames.CODE_CHALLENGE_METHOD, "S256");
-		} catch (NoSuchAlgorithmException e) {
-			additionalParameters.put(PkceParameterNames.CODE_CHALLENGE, codeVerifier);
-		}
-	}
-
-	private String createCodeChallenge(String codeVerifier) throws NoSuchAlgorithmException {
-		MessageDigest md = MessageDigest.getInstance("SHA-256");
-		byte[] digest = md.digest(codeVerifier.getBytes(StandardCharsets.US_ASCII));
-		return Base64.getUrlEncoder().withoutPadding().encodeToString(digest);
-	}
 }