|
|
@@ -1,5 +1,5 @@
|
|
|
/*
|
|
|
- * Copyright 2002-2021 the original author or authors.
|
|
|
+ * Copyright 2002-2025 the original author or authors.
|
|
|
*
|
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
* you may not use this file except in compliance with the License.
|
|
|
@@ -17,6 +17,7 @@
|
|
|
package org.springframework.security.oauth2.server.resource.web.authentication;
|
|
|
|
|
|
import java.io.IOException;
|
|
|
+import java.util.Map;
|
|
|
|
|
|
import jakarta.servlet.FilterChain;
|
|
|
import jakarta.servlet.ServletException;
|
|
|
@@ -32,7 +33,11 @@ import org.springframework.security.core.AuthenticationException;
|
|
|
import org.springframework.security.core.context.SecurityContext;
|
|
|
import org.springframework.security.core.context.SecurityContextHolder;
|
|
|
import org.springframework.security.core.context.SecurityContextHolderStrategy;
|
|
|
+import org.springframework.security.oauth2.core.ClaimAccessor;
|
|
|
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
|
|
|
+import org.springframework.security.oauth2.server.resource.BearerTokenError;
|
|
|
+import org.springframework.security.oauth2.server.resource.BearerTokenErrors;
|
|
|
+import org.springframework.security.oauth2.server.resource.authentication.AbstractOAuth2TokenAuthenticationToken;
|
|
|
import org.springframework.security.oauth2.server.resource.authentication.BearerTokenAuthenticationToken;
|
|
|
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationProvider;
|
|
|
import org.springframework.security.oauth2.server.resource.web.BearerTokenAuthenticationEntryPoint;
|
|
|
@@ -45,6 +50,8 @@ import org.springframework.security.web.authentication.WebAuthenticationDetailsS
|
|
|
import org.springframework.security.web.context.RequestAttributeSecurityContextRepository;
|
|
|
import org.springframework.security.web.context.SecurityContextRepository;
|
|
|
import org.springframework.util.Assert;
|
|
|
+import org.springframework.util.CollectionUtils;
|
|
|
+import org.springframework.util.StringUtils;
|
|
|
import org.springframework.web.filter.OncePerRequestFilter;
|
|
|
|
|
|
/**
|
|
|
@@ -135,6 +142,12 @@ public class BearerTokenAuthenticationFilter extends OncePerRequestFilter {
|
|
|
try {
|
|
|
AuthenticationManager authenticationManager = this.authenticationManagerResolver.resolve(request);
|
|
|
Authentication authenticationResult = authenticationManager.authenticate(authenticationRequest);
|
|
|
+ if (isDPoPBoundAccessToken(authenticationResult)) {
|
|
|
+ // Prevent downgraded usage of DPoP-bound access tokens,
|
|
|
+ // by rejecting a DPoP-bound access token received as a bearer token.
|
|
|
+ BearerTokenError error = BearerTokenErrors.invalidToken("Invalid bearer token");
|
|
|
+ throw new OAuth2AuthenticationException(error);
|
|
|
+ }
|
|
|
SecurityContext context = this.securityContextHolderStrategy.createEmptyContext();
|
|
|
context.setAuthentication(authenticationResult);
|
|
|
this.securityContextHolderStrategy.setContext(context);
|
|
|
@@ -217,4 +230,17 @@ public class BearerTokenAuthenticationFilter extends OncePerRequestFilter {
|
|
|
this.authenticationDetailsSource = authenticationDetailsSource;
|
|
|
}
|
|
|
|
|
|
+ private static boolean isDPoPBoundAccessToken(Authentication authentication) {
|
|
|
+ if (!(authentication instanceof AbstractOAuth2TokenAuthenticationToken<?> accessTokenAuthentication)) {
|
|
|
+ return false;
|
|
|
+ }
|
|
|
+ ClaimAccessor accessTokenClaims = accessTokenAuthentication::getTokenAttributes;
|
|
|
+ String jwkThumbprintClaim = null;
|
|
|
+ Map<String, Object> confirmationMethodClaim = accessTokenClaims.getClaimAsMap("cnf");
|
|
|
+ if (!CollectionUtils.isEmpty(confirmationMethodClaim) && confirmationMethodClaim.containsKey("jkt")) {
|
|
|
+ jwkThumbprintClaim = (String) confirmationMethodClaim.get("jkt");
|
|
|
+ }
|
|
|
+ return StringUtils.hasText(jwkThumbprintClaim);
|
|
|
+ }
|
|
|
+
|
|
|
}
|
Joe Grandja