Home Explore Help
Register Sign In
github
/
spring-authorization-server
mirror of https://github.com/spring-projects/spring-authorization-server
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

OAuth2AccessToken.scopes includes authorized or requested scopes

Closes gh-224
Joe Grandja 4 years ago
parent
09846eebeb
commit
6ffda38cb9
6 changed files with 16 additions and 10 deletions
Split View Show Diff Stats
  1. 1 1
      oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeAuthenticationProvider.java
  2. 1 2
      oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2ClientCredentialsAuthenticationProvider.java
  3. 1 2
      oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2RefreshTokenAuthenticationProvider.java
  4. 4 0
      oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeAuthenticationProviderTests.java
  5. 3 2
      oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2ClientCredentialsAuthenticationProviderTests.java
  6. 6 3
      oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2RefreshTokenAuthenticationProviderTests.java

+ 1 - 1
oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeAuthenticationProvider.java
View File 

@@ -166,7 +166,7 @@ public class OAuth2AuthorizationCodeAuthenticationProvider implements Authentica
 
 
 		OAuth2AccessToken accessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER,
 
 				jwtAccessToken.getTokenValue(), jwtAccessToken.getIssuedAt(),
 
-				jwtAccessToken.getExpiresAt(), jwtAccessToken.getClaim(OAuth2ParameterNames.SCOPE));
 
+				jwtAccessToken.getExpiresAt(), authorizedScopes);
 
 
 		OAuth2RefreshToken refreshToken = null;
 
 		if (registeredClient.getAuthorizationGrantTypes().contains(AuthorizationGrantType.REFRESH_TOKEN)) {

+ 1 - 2
oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2ClientCredentialsAuthenticationProvider.java
View File 

@@ -29,7 +29,6 @@ import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
 
 import org.springframework.security.oauth2.core.OAuth2Error;
 
 import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
 
 import org.springframework.security.oauth2.core.OAuth2TokenType;
 
-import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
 
 import org.springframework.security.oauth2.jwt.JoseHeader;
 
 import org.springframework.security.oauth2.jwt.Jwt;
 
 import org.springframework.security.oauth2.jwt.JwtClaimsSet;
 
@@ -138,7 +137,7 @@ public class OAuth2ClientCredentialsAuthenticationProvider implements Authentica
 
 
 		OAuth2AccessToken accessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER,
 
 				jwtAccessToken.getTokenValue(), jwtAccessToken.getIssuedAt(),
 
-				jwtAccessToken.getExpiresAt(), jwtAccessToken.getClaim(OAuth2ParameterNames.SCOPE));
 
+				jwtAccessToken.getExpiresAt(), scopes);
 
 
 		// @formatter:off
 
 		OAuth2Authorization authorization = OAuth2Authorization.withRegisteredClient(registeredClient)

+ 1 - 2
oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2RefreshTokenAuthenticationProvider.java
View File 

@@ -35,7 +35,6 @@ import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
 
 import org.springframework.security.oauth2.core.OAuth2RefreshToken;
 
 import org.springframework.security.oauth2.core.OAuth2RefreshToken2;
 
 import org.springframework.security.oauth2.core.OAuth2TokenType;
 
-import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
 
 import org.springframework.security.oauth2.jwt.JoseHeader;
 
 import org.springframework.security.oauth2.jwt.Jwt;
 
 import org.springframework.security.oauth2.jwt.JwtClaimsSet;
 
@@ -170,7 +169,7 @@ public class OAuth2RefreshTokenAuthenticationProvider implements AuthenticationP
 
 
 		OAuth2AccessToken accessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER,
 
 				jwtAccessToken.getTokenValue(), jwtAccessToken.getIssuedAt(),
 
-				jwtAccessToken.getExpiresAt(), jwtAccessToken.getClaim(OAuth2ParameterNames.SCOPE));
 
+				jwtAccessToken.getExpiresAt(), scopes);
 
 
 		TokenSettings tokenSettings = registeredClient.getTokenSettings();

+ 4 - 0
oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeAuthenticationProviderTests.java
View File 

@@ -264,6 +264,8 @@ public class OAuth2AuthorizationCodeAuthenticationProviderTests {
 
 		assertThat(accessTokenAuthentication.getRegisteredClient().getId()).isEqualTo(updatedAuthorization.getRegisteredClientId());
 
 		assertThat(accessTokenAuthentication.getPrincipal()).isEqualTo(clientPrincipal);
 
 		assertThat(accessTokenAuthentication.getAccessToken()).isEqualTo(updatedAuthorization.getAccessToken().getToken());
 
+		assertThat(accessTokenAuthentication.getAccessToken().getScopes())
 
+				.isEqualTo(authorization.getAttribute(OAuth2Authorization.AUTHORIZED_SCOPE_ATTRIBUTE_NAME));
 
 		assertThat(accessTokenAuthentication.getRefreshToken()).isNotNull();
 
 		assertThat(accessTokenAuthentication.getRefreshToken()).isEqualTo(updatedAuthorization.getRefreshToken().getToken());
 
 		OAuth2Authorization.Token<OAuth2AuthorizationCode> authorizationCode = updatedAuthorization.getToken(OAuth2AuthorizationCode.class);
 
@@ -320,6 +322,8 @@ public class OAuth2AuthorizationCodeAuthenticationProviderTests {
 
 		assertThat(accessTokenAuthentication.getRegisteredClient().getId()).isEqualTo(updatedAuthorization.getRegisteredClientId());
 
 		assertThat(accessTokenAuthentication.getPrincipal()).isEqualTo(clientPrincipal);
 
 		assertThat(accessTokenAuthentication.getAccessToken()).isEqualTo(updatedAuthorization.getAccessToken().getToken());
 
+		assertThat(accessTokenAuthentication.getAccessToken().getScopes())
 
+				.isEqualTo(authorization.getAttribute(OAuth2Authorization.AUTHORIZED_SCOPE_ATTRIBUTE_NAME));
 
 		assertThat(accessTokenAuthentication.getRefreshToken()).isNotNull();
 
 		assertThat(accessTokenAuthentication.getRefreshToken()).isEqualTo(updatedAuthorization.getRefreshToken().getToken());
 
 		OAuth2Authorization.Token<OAuth2AuthorizationCode> authorizationCode = updatedAuthorization.getToken(OAuth2AuthorizationCode.class);

+ 3 - 2
oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2ClientCredentialsAuthenticationProviderTests.java
View File 

@@ -30,6 +30,7 @@ import org.springframework.security.oauth2.core.AuthorizationGrantType;
 
 import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
 
 import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
 
 import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
 
+import org.springframework.security.oauth2.core.OAuth2TokenType;
 
 import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
 
 import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm;
 
 import org.springframework.security.oauth2.jwt.JoseHeaderNames;
 
@@ -37,7 +38,6 @@ import org.springframework.security.oauth2.jwt.Jwt;
 
 import org.springframework.security.oauth2.jwt.JwtEncoder;
 
 import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
 
 import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
 
-import org.springframework.security.oauth2.core.OAuth2TokenType;
 
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
 
 import org.springframework.security.oauth2.server.authorization.client.TestRegisteredClients;
 
 import org.springframework.security.oauth2.server.authorization.token.JwtEncodingContext;
 
@@ -168,7 +168,8 @@ public class OAuth2ClientCredentialsAuthenticationProviderTests {
 
 		OAuth2ClientCredentialsAuthenticationToken authentication =
 
 				new OAuth2ClientCredentialsAuthenticationToken(clientPrincipal, requestedScope);
 
 
-		when(this.jwtEncoder.encode(any(), any())).thenReturn(createJwt(requestedScope));
 
+		when(this.jwtEncoder.encode(any(), any()))
 
+				.thenReturn(createJwt(Collections.singleton("mapped-scoped")));
 
 
 		OAuth2AccessTokenAuthenticationToken accessTokenAuthentication =
 
 				(OAuth2AccessTokenAuthenticationToken) this.authenticationProvider.authenticate(authentication);

+ 6 - 3
oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2RefreshTokenAuthenticationProviderTests.java
View File 

@@ -34,6 +34,7 @@ import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
 
 import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
 
 import org.springframework.security.oauth2.core.OAuth2RefreshToken;
 
 import org.springframework.security.oauth2.core.OAuth2RefreshToken2;
 
+import org.springframework.security.oauth2.core.OAuth2TokenType;
 
 import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
 
 import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm;
 
 import org.springframework.security.oauth2.jwt.JoseHeaderNames;
 
@@ -42,7 +43,6 @@ import org.springframework.security.oauth2.jwt.JwtEncoder;
 
 import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
 
 import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
 
 import org.springframework.security.oauth2.server.authorization.TestOAuth2Authorizations;
 
-import org.springframework.security.oauth2.core.OAuth2TokenType;
 
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
 
 import org.springframework.security.oauth2.server.authorization.client.TestRegisteredClients;
 
 import org.springframework.security.oauth2.server.authorization.token.JwtEncodingContext;
 
@@ -182,7 +182,10 @@ public class OAuth2RefreshTokenAuthenticationProviderTests {
 
 
 	@Test
 
 	public void authenticateWhenRequestedScopesAuthorizedThenAccessTokenIncludesScopes() {
 
-		RegisteredClient registeredClient = TestRegisteredClients.registeredClient().build();
 
+		RegisteredClient registeredClient = TestRegisteredClients.registeredClient()
 
+				.scope("scope2")
 
+				.scope("scope3")
 
+				.build();
 
 		OAuth2Authorization authorization = TestOAuth2Authorizations.authorization(registeredClient).build();
 
 		when(this.authorizationService.findByToken(
 
 				eq(authorization.getRefreshToken().getToken().getTokenValue()),
 
@@ -192,7 +195,7 @@ public class OAuth2RefreshTokenAuthenticationProviderTests {
 
 		OAuth2ClientAuthenticationToken clientPrincipal = new OAuth2ClientAuthenticationToken(registeredClient);
 
 		Set<String> authorizedScopes = authorization.getAttribute(OAuth2Authorization.AUTHORIZED_SCOPE_ATTRIBUTE_NAME);
 
 		Set<String> requestedScopes = new HashSet<>(authorizedScopes);
 
-		requestedScopes.remove("email");
 
+		requestedScopes.remove("scope1");
 
 		OAuth2RefreshTokenAuthenticationToken authentication = new OAuth2RefreshTokenAuthenticationToken(
 
 				authorization.getRefreshToken().getToken().getTokenValue(), clientPrincipal, requestedScopes);