Halaman utama Jelajahi Bantuan
Daftar Masuk
github
/
spring-authorization-server
cermin dari https://github.com/spring-projects/spring-authorization-server
2
0
Fork 0
Berkas Masalah 0 Wiki
Jelajahi Sumber

Check user code expiry and invalidity

Closes gh-1977

Signed-off-by: Antoine Lauzon <139174762+antoinelauzon-bell@users.noreply.github.com>
Antoine Lauzon 2 bulan lalu
induk
84f9299e7b
melakukan
ce528eed9b
2 mengubah file dengan 91 tambahan dan 4 penghapusan
Unified View Tampilkan Statistik Diff
  1. 10 2
      oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2DeviceVerificationAuthenticationProvider.java
  2. 81 2
      oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2DeviceVerificationAuthenticationProviderTests.java

+ 10 - 2
oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2DeviceVerificationAuthenticationProvider.java
Tampilan Berkas 

@@ -1,5 +1,5 @@
 
 /*
 
 /*
 
- * Copyright 2020-2023 the original author or authors.
 
+ * Copyright 2020-2025 the original author or authors.
 
  *
 
  *
 
  * Licensed under the Apache License, Version 2.0 (the "License");
 
  * Licensed under the Apache License, Version 2.0 (the "License");
 
  * you may not use this file except in compliance with the License.
 
  * you may not use this file except in compliance with the License.
 
@@ -109,6 +109,15 @@ public final class OAuth2DeviceVerificationAuthenticationProvider implements Aut
 
 			this.logger.trace("Retrieved authorization with user code");
 
 			this.logger.trace("Retrieved authorization with user code");
 
 		}
 
 		}
 
 
 
+		OAuth2Authorization.Token<OAuth2UserCode> userCode = authorization.getToken(OAuth2UserCode.class);
 
+		if (!userCode.isActive()) {
 
+			if (!userCode.isInvalidated()) {
 
+				authorization = OAuth2AuthenticationProviderUtils.invalidate(authorization, userCode.getToken());
 
+				this.authorizationService.save(authorization);
 
+			}
 
+			throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_GRANT);
 
+		}
 
+
 
 		Authentication principal = (Authentication) deviceVerificationAuthentication.getPrincipal();
 
 		Authentication principal = (Authentication) deviceVerificationAuthentication.getPrincipal();
 
 		if (!isPrincipalAuthenticated(principal)) {
 
 		if (!isPrincipalAuthenticated(principal)) {
 
 			if (this.logger.isTraceEnabled()) {
 
 			if (this.logger.isTraceEnabled()) {
 
@@ -161,7 +170,6 @@ public final class OAuth2DeviceVerificationAuthenticationProvider implements Aut
 
 					requestedScopes, currentAuthorizedScopes);
 
 					requestedScopes, currentAuthorizedScopes);
 
 		}
 
 		}
 
 
 
-		OAuth2Authorization.Token<OAuth2UserCode> userCode = authorization.getToken(OAuth2UserCode.class);
 
 		// @formatter:off
 
 		// @formatter:off
 
 		authorization = OAuth2Authorization.from(authorization)
 
 		authorization = OAuth2Authorization.from(authorization)
 
 				.principalName(principal.getName())
 
 				.principalName(principal.getName())

+ 81 - 2
oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2DeviceVerificationAuthenticationProviderTests.java
Tampilan Berkas 

@@ -1,5 +1,5 @@
 
 /*
 
 /*
 
- * Copyright 2020-2023 the original author or authors.
 
+ * Copyright 2020-2025 the original author or authors.
 
  *
 
  *
 
  * Licensed under the Apache License, Version 2.0 (the "License");
 
  * Licensed under the Apache License, Version 2.0 (the "License");
 
  * you may not use this file except in compliance with the License.
 
  * you may not use this file except in compliance with the License.
 
@@ -20,6 +20,7 @@ import java.time.Instant;
 
 import java.time.temporal.ChronoUnit;
 
 import java.time.temporal.ChronoUnit;
 
 import java.util.Collections;
 
 import java.util.Collections;
 
 import java.util.Map;
 
 import java.util.Map;
 
+import java.util.function.Consumer;
 
 import java.util.function.Function;
 
 import java.util.function.Function;
 
 
 
 import org.junit.jupiter.api.BeforeEach;
 
 import org.junit.jupiter.api.BeforeEach;
 
@@ -145,10 +146,79 @@ public class OAuth2DeviceVerificationAuthenticationProviderTests {
 
 		verifyNoInteractions(this.registeredClientRepository, this.authorizationConsentService);
 
 		verifyNoInteractions(this.registeredClientRepository, this.authorizationConsentService);
 
 	}
 
 	}
 
 
 
+	@Test
 
+	public void authenticateWhenUserCodeIsInvalidedThenThrowOAuth2AuthenticationException() {
 
+		RegisteredClient registeredClient = TestRegisteredClients.registeredClient().build();
 
+		// @formatter:off
 
+		OAuth2Authorization authorization = TestOAuth2Authorizations
 
+				.authorization(registeredClient)
 
+				.token(createDeviceCode())
 
+				.token(createUserCode(), withInvalidated())
 
+				.attribute(OAuth2ParameterNames.SCOPE, registeredClient.getScopes())
 
+				.build();
 
+		// @formatter:on
 
+		given(this.authorizationService.findByToken(anyString(), any(OAuth2TokenType.class))).willReturn(authorization);
 
+		Authentication authentication = createAuthentication();
 
+		// @formatter:off
 
+		assertThatExceptionOfType(OAuth2AuthenticationException.class)
 
+				.isThrownBy(() -> this.authenticationProvider.authenticate(authentication))
 
+				.extracting(OAuth2AuthenticationException::getError)
 
+				.extracting(OAuth2Error::getErrorCode)
 
+				.isEqualTo(OAuth2ErrorCodes.INVALID_GRANT);
 
+		// @formatter:on
 
+
 
+		verify(this.authorizationService).findByToken(USER_CODE,
 
+				OAuth2DeviceVerificationAuthenticationProvider.USER_CODE_TOKEN_TYPE);
 
+		verifyNoMoreInteractions(this.authorizationService);
 
+		verifyNoInteractions(this.registeredClientRepository, this.authorizationConsentService);
 
+	}
 
+
 
+	@Test
 
+	public void authenticateWhenUserCodeIsExpiredButNotInvalidatedThenInvalidateUserCodeAndThrowOAuth2AuthenticationException() {
 
+		RegisteredClient registeredClient = TestRegisteredClients.registeredClient().build();
 
+		// @formatter:off
 
+		OAuth2Authorization authorization = TestOAuth2Authorizations
 
+				.authorization(registeredClient)
 
+				// Device code would also be expired but not relevant for this test
 
+				.token(createDeviceCode())
 
+				.token(createExpiredUserCode())
 
+				.attribute(OAuth2ParameterNames.SCOPE, registeredClient.getScopes())
 
+				.build();
 
+		// @formatter:on
 
+		given(this.authorizationService.findByToken(anyString(), any(OAuth2TokenType.class))).willReturn(authorization);
 
+		Authentication authentication = createAuthentication();
 
+		// @formatter:off
 
+		assertThatExceptionOfType(OAuth2AuthenticationException.class)
 
+				.isThrownBy(() -> this.authenticationProvider.authenticate(authentication))
 
+				.extracting(OAuth2AuthenticationException::getError)
 
+				.extracting(OAuth2Error::getErrorCode)
 
+				.isEqualTo(OAuth2ErrorCodes.INVALID_GRANT);
 
+		// @formatter:on
 
+
 
+		ArgumentCaptor<OAuth2Authorization> authorizationCaptor = ArgumentCaptor.forClass(OAuth2Authorization.class);
 
+		verify(this.authorizationService).findByToken(USER_CODE,
 
+				OAuth2DeviceVerificationAuthenticationProvider.USER_CODE_TOKEN_TYPE);
 
+		verify(this.authorizationService).save(authorizationCaptor.capture());
 
+		verifyNoMoreInteractions(this.authorizationService);
 
+		verifyNoInteractions(this.registeredClientRepository, this.authorizationConsentService);
 
+
 
+		OAuth2Authorization updatedAuthorization = authorizationCaptor.getValue();
 
+		assertThat(updatedAuthorization.getToken(OAuth2UserCode.class))
 
+				.extracting(isInvalidated())
 
+				.isEqualTo(true);
 
+	}
 
+
 
 	@Test
 
 	@Test
 
 	public void authenticateWhenPrincipalNotAuthenticatedThenReturnUnauthenticated() {
 
 	public void authenticateWhenPrincipalNotAuthenticatedThenReturnUnauthenticated() {
 
 		RegisteredClient registeredClient = TestRegisteredClients.registeredClient().build();
 
 		RegisteredClient registeredClient = TestRegisteredClients.registeredClient().build();
 
-		OAuth2Authorization authorization = TestOAuth2Authorizations.authorization(registeredClient).build();
 
+		// @formatter:off
 
+		OAuth2Authorization authorization = TestOAuth2Authorizations
 
+				.authorization(registeredClient)
 
+				.token(createDeviceCode())
 
+				.token(createUserCode())
 
+				.attribute(OAuth2ParameterNames.SCOPE, registeredClient.getScopes())
 
+				.build();
 
+		// @formatter:on
 
 		TestingAuthenticationToken principal = new TestingAuthenticationToken("user", null);
 
 		TestingAuthenticationToken principal = new TestingAuthenticationToken("user", null);
 
 		Authentication authentication = new OAuth2DeviceVerificationAuthenticationToken(principal, USER_CODE,
 
 		Authentication authentication = new OAuth2DeviceVerificationAuthenticationToken(principal, USER_CODE,
 
 				Collections.emptyMap());
 
 				Collections.emptyMap());
 
@@ -331,6 +401,15 @@ public class OAuth2DeviceVerificationAuthenticationProviderTests {
 
 		return new OAuth2UserCode(USER_CODE, issuedAt, issuedAt.plus(30, ChronoUnit.MINUTES));
 
 		return new OAuth2UserCode(USER_CODE, issuedAt, issuedAt.plus(30, ChronoUnit.MINUTES));
 
 	}
 
 	}
 
 
 
+	private static OAuth2UserCode createExpiredUserCode() {
 
+		Instant issuedAt = Instant.now().minus(45, ChronoUnit.MINUTES);
 
+		return new OAuth2UserCode(USER_CODE, issuedAt, issuedAt.plus(30, ChronoUnit.MINUTES));
 
+	}
 
+
 
+	private static Consumer<Map<String, Object>> withInvalidated() {
 
+		return (metadata) -> metadata.put(OAuth2Authorization.Token.INVALIDATED_METADATA_NAME, true);
 
+	}
 
+
 
 	private static Function<OAuth2Authorization.Token<? extends OAuth2Token>, Boolean> isInvalidated() {
 
 	private static Function<OAuth2Authorization.Token<? extends OAuth2Token>, Boolean> isInvalidated() {
 
 		return (token) -> token.getMetadata(OAuth2Authorization.Token.INVALIDATED_METADATA_NAME);
 
 		return (token) -> token.getMetadata(OAuth2Authorization.Token.INVALIDATED_METADATA_NAME);
 
 	}
 
 	}