Add Clock Skew Tests

Fixes gh-7511

Co-authored-by: Isaac Cummings <josh.cummings+zac@gmail.com>

oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/ClientCredentialsOAuth2AuthorizedClientProviderTests.java

@@ -153,4 +153,22 @@ public class ClientCredentialsOAuth2AuthorizedClientProviderTests {
 						.build();
 		assertThat(this.authorizedClientProvider.authorize(authorizationContext)).isNull();
 	}
+
+	@Test
+	public void authorizeWhenClientCredentialsAndTokenNotExpiredByClockSkewThenNotReauthorize() {
+		ClientCredentialsOAuth2AuthorizedClientProvider authorizedClientProvider =
+				new ClientCredentialsOAuth2AuthorizedClientProvider();
+		authorizedClientProvider.setClockSkew(Duration.ofHours(24));
+		Instant issuedAt = Instant.now().minus(Duration.ofDays(1));
+		OAuth2AccessToken expiredToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER, "token",
+				issuedAt, issuedAt.plus(Duration.ofHours(1)));
+		OAuth2AuthorizedClient authorizedClient = new OAuth2AuthorizedClient(
+				this.clientRegistration, this.principal.getName(), expiredToken);
+
+		OAuth2AuthorizationContext authorizationContext =
+				OAuth2AuthorizationContext.withAuthorizedClient(authorizedClient)
+						.principal(this.principal)
+						.build();
+		assertThat(authorizedClientProvider.authorize(authorizationContext)).isNull();
+	}
 }

oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/PasswordOAuth2AuthorizedClientProviderTests.java

@@ -187,4 +187,25 @@ public class PasswordOAuth2AuthorizedClientProviderTests {
 						.build();
 		assertThat(this.authorizedClientProvider.authorize(authorizationContext)).isNull();
 	}
+
+	@Test
+	public void authorizeWhenPasswordAndAuthorizedWithoutRefreshTokenAndTokenNotExpiredByClockSkewThenNotReauthorize() {
+		PasswordOAuth2AuthorizedClientProvider authorizedClientProvider =
+				new PasswordOAuth2AuthorizedClientProvider();
+		authorizedClientProvider.setClockSkew(Duration.ofHours(24));
+		Instant issuedAt = Instant.now().minus(Duration.ofDays(1));
+		Instant expiresAt = issuedAt.plus(Duration.ofMinutes(60));
+		OAuth2AccessToken accessToken = new OAuth2AccessToken(
+				OAuth2AccessToken.TokenType.BEARER, "access-token-expired", issuedAt, expiresAt);
+		OAuth2AuthorizedClient authorizedClient = new OAuth2AuthorizedClient(
+				this.clientRegistration, this.principal.getName(), accessToken);	// without refresh token
+
+		OAuth2AuthorizationContext authorizationContext =
+				OAuth2AuthorizationContext.withAuthorizedClient(authorizedClient)
+						.attribute(OAuth2AuthorizationContext.USERNAME_ATTRIBUTE_NAME, "username")
+						.attribute(OAuth2AuthorizationContext.PASSWORD_ATTRIBUTE_NAME, "password")
+						.principal(this.principal)
+						.build();
+		assertThat(authorizedClientProvider.authorize(authorizationContext)).isNull();
+	}
 }

oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/RefreshTokenReactiveOAuth2AuthorizedClientProviderTests.java

@@ -135,6 +135,21 @@ public class RefreshTokenReactiveOAuth2AuthorizedClientProviderTests {
 		assertThat(this.authorizedClientProvider.authorize(authorizationContext).block()).isNull();
 	}
 
+	@Test
+	public void authorizeWhenAuthorizedAndAccessTokenNotExpiredByClockSkewThenNotReauthorize() {
+		RefreshTokenReactiveOAuth2AuthorizedClientProvider authorizedClientProvider
+				= new RefreshTokenReactiveOAuth2AuthorizedClientProvider();
+		authorizedClientProvider.setClockSkew(Duration.ofHours(24));
+		OAuth2AuthorizedClient authorizedClient = new OAuth2AuthorizedClient(this.clientRegistration, this.principal.getName(),
+				this.authorizedClient.getAccessToken(), this.authorizedClient.getRefreshToken());
+
+		OAuth2AuthorizationContext authorizationContext =
+				OAuth2AuthorizationContext.withAuthorizedClient(authorizedClient)
+						.principal(this.principal)
+						.build();
+		assertThat(authorizedClientProvider.authorize(authorizationContext).block()).isNull();
+	}
+
 	@Test
 	public void authorizeWhenAuthorizedAndAccessTokenExpiredThenReauthorize() {
 		OAuth2AccessTokenResponse accessTokenResponse = TestOAuth2AccessTokenResponses.accessTokenResponse()