/* * Copyright 2020-2023 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * https://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package sample.authentication; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import sample.web.authentication.DeviceClientAuthenticationConverter; import org.springframework.security.authentication.AuthenticationProvider; import org.springframework.security.core.Authentication; import org.springframework.security.core.AuthenticationException; import org.springframework.security.oauth2.core.ClientAuthenticationMethod; import org.springframework.security.oauth2.core.OAuth2AuthenticationException; import org.springframework.security.oauth2.core.OAuth2Error; import org.springframework.security.oauth2.core.OAuth2ErrorCodes; import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames; import org.springframework.security.oauth2.server.authorization.client.RegisteredClient; import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository; import org.springframework.security.oauth2.server.authorization.web.OAuth2ClientAuthenticationFilter; import org.springframework.util.Assert; /** * @author Joe Grandja * @author Steve Riesenberg * @since 1.1 * @see DeviceClientAuthenticationToken * @see DeviceClientAuthenticationConverter * @see OAuth2ClientAuthenticationFilter */ public final class DeviceClientAuthenticationProvider implements AuthenticationProvider { private static final String ERROR_URI = "https://datatracker.ietf.org/doc/html/rfc6749#section-3.2.1"; private final Log logger = LogFactory.getLog(getClass()); private final RegisteredClientRepository registeredClientRepository; public DeviceClientAuthenticationProvider(RegisteredClientRepository registeredClientRepository) { Assert.notNull(registeredClientRepository, "registeredClientRepository cannot be null"); this.registeredClientRepository = registeredClientRepository; } @Override public Authentication authenticate(Authentication authentication) throws AuthenticationException { DeviceClientAuthenticationToken deviceClientAuthentication = (DeviceClientAuthenticationToken) authentication; if (!ClientAuthenticationMethod.NONE.equals(deviceClientAuthentication.getClientAuthenticationMethod())) { return null; } String clientId = deviceClientAuthentication.getPrincipal().toString(); RegisteredClient registeredClient = this.registeredClientRepository.findByClientId(clientId); if (registeredClient == null) { throwInvalidClient(OAuth2ParameterNames.CLIENT_ID); } if (this.logger.isTraceEnabled()) { this.logger.trace("Retrieved registered client"); } if (!registeredClient.getClientAuthenticationMethods().contains( deviceClientAuthentication.getClientAuthenticationMethod())) { throwInvalidClient("authentication_method"); } if (this.logger.isTraceEnabled()) { this.logger.trace("Validated device client authentication parameters"); } if (this.logger.isTraceEnabled()) { this.logger.trace("Authenticated device client"); } return new DeviceClientAuthenticationToken(registeredClient, deviceClientAuthentication.getClientAuthenticationMethod(), null); } @Override public boolean supports(Class authentication) { return DeviceClientAuthenticationToken.class.isAssignableFrom(authentication); } private static void throwInvalidClient(String parameterName) { OAuth2Error error = new OAuth2Error( OAuth2ErrorCodes.INVALID_CLIENT, "Device client authentication failed: " + parameterName, ERROR_URI ); throw new OAuth2AuthenticationException(error); } }