Remove AuthorizationRequestUriBuilder

Make this API private since we don't have concrete use cases for exposing
it yet.

Fixes gh-4742

config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java

@@ -63,7 +63,6 @@ import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2LoginConfigurer;
 import org.springframework.security.oauth2.client.endpoint.OAuth2AccessTokenResponseClient;
-import org.springframework.security.oauth2.client.endpoint.AuthorizationRequestUriBuilder;
 import org.springframework.security.web.DefaultSecurityFilterChain;
 import org.springframework.security.web.PortMapper;
 import org.springframework.security.web.PortMapperImpl;
@@ -947,8 +946,8 @@ public final class HttpSecurity extends
 	 * At this point in the <i>&quot;authentication flow&quot;</i>, the configured
 	 * {@link OAuth2AccessTokenResponseClient}
 	 * will getTokenResponse the <i>Authorization Code</i> for an <i>Access Token</i> and then use it to access the protected resource
-	 * at the <i>UserInfo Endpoint</i> (via {@link org.springframework.security.oauth2.client.user.OAuth2UserService})
-	 * in order to retrieve the details of the <i>Resource Owner</i> (end-user) and establish the <i>&quot;authenticated&quot;</i> session.
+	 * at the <i>UserInfo Endpoint</i> in order to retrieve the details of the <i>Resource Owner</i> (end-user) and establish the
+	 * <i>&quot;authenticated&quot;</i> session.
 	 *
 	 * <h2>Example Configurations</h2>
 	 *
@@ -1040,7 +1039,6 @@ public final class HttpSecurity extends
 	 * @see <a target="_blank" href="https://tools.ietf.org/html/rfc6749#section-4.1.2">Section 4.1.2 Authorization Response</a>
 	 * @see org.springframework.security.oauth2.client.registration.ClientRegistration
 	 * @see org.springframework.security.oauth2.client.registration.ClientRegistrationRepository
-	 * @see AuthorizationRequestUriBuilder
 	 * @see OAuth2AccessTokenResponseClient
 	 * @see org.springframework.security.oauth2.client.user.OAuth2UserService
 	 *

config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/ImplicitGrantConfigurer.java

@@ -20,7 +20,6 @@ import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
 import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter;
-import org.springframework.security.oauth2.client.endpoint.AuthorizationRequestUriBuilder;
 import org.springframework.util.Assert;
 
 /**
@@ -33,7 +32,6 @@ public final class ImplicitGrantConfigurer<B extends HttpSecurityBuilder<B>> ext
 	AbstractHttpConfigurer<ImplicitGrantConfigurer<B>, B> {
 
 	private String authorizationRequestBaseUri;
-	private AuthorizationRequestUriBuilder authorizationRequestUriBuilder;
 
 	public ImplicitGrantConfigurer<B> authorizationRequestBaseUri(String authorizationRequestBaseUri) {
 		Assert.hasText(authorizationRequestBaseUri, "authorizationRequestBaseUri cannot be empty");
@@ -41,12 +39,6 @@ public final class ImplicitGrantConfigurer<B extends HttpSecurityBuilder<B>> ext
 		return this;
 	}
 
-	public ImplicitGrantConfigurer<B> authorizationRequestUriBuilder(AuthorizationRequestUriBuilder authorizationRequestUriBuilder) {
-		Assert.notNull(authorizationRequestUriBuilder, "authorizationRequestUriBuilder cannot be null");
-		this.authorizationRequestUriBuilder = authorizationRequestUriBuilder;
-		return this;
-	}
-
 	public ImplicitGrantConfigurer<B> clientRegistrationRepository(ClientRegistrationRepository clientRegistrationRepository) {
 		Assert.notNull(clientRegistrationRepository, "clientRegistrationRepository cannot be null");
 		this.getBuilder().setSharedObject(ClientRegistrationRepository.class, clientRegistrationRepository);
@@ -57,9 +49,6 @@ public final class ImplicitGrantConfigurer<B extends HttpSecurityBuilder<B>> ext
 	public void configure(B http) throws Exception {
 		OAuth2AuthorizationRequestRedirectFilter authorizationRequestFilter = new OAuth2AuthorizationRequestRedirectFilter(
 			this.getAuthorizationRequestBaseUri(), this.getClientRegistrationRepository());
-		if (this.authorizationRequestUriBuilder != null) {
-			authorizationRequestFilter.setAuthorizationRequestUriBuilder(this.authorizationRequestUriBuilder);
-		}
 		http.addFilter(this.postProcess(authorizationRequestFilter));
 	}
 

config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurer.java

@@ -22,9 +22,8 @@ import org.springframework.security.config.annotation.web.configurers.AbstractAu
 import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
 import org.springframework.security.oauth2.client.OAuth2AuthorizedClientService;
 import org.springframework.security.oauth2.client.authentication.OAuth2LoginAuthenticationProvider;
-import org.springframework.security.oauth2.client.endpoint.AuthorizationRequestUriBuilder;
-import org.springframework.security.oauth2.client.endpoint.NimbusAuthorizationCodeTokenResponseClient;
 import org.springframework.security.oauth2.client.endpoint.OAuth2AccessTokenResponseClient;
+import org.springframework.security.oauth2.client.endpoint.NimbusAuthorizationCodeTokenResponseClient;
 import org.springframework.security.oauth2.client.endpoint.OAuth2AuthorizationCodeGrantRequest;
 import org.springframework.security.oauth2.client.jwt.JwtDecoderRegistry;
 import org.springframework.security.oauth2.client.jwt.NimbusJwtDecoderRegistry;
@@ -96,7 +95,6 @@ public final class OAuth2LoginConfigurer<B extends HttpSecurityBuilder<B>> exten
 
 	public class AuthorizationEndpointConfig {
 		private String authorizationRequestBaseUri;
-		private AuthorizationRequestUriBuilder authorizationRequestUriBuilder;
 		private AuthorizationRequestRepository<OAuth2AuthorizationRequest> authorizationRequestRepository;
 
 		private AuthorizationEndpointConfig() {
@@ -108,12 +106,6 @@ public final class OAuth2LoginConfigurer<B extends HttpSecurityBuilder<B>> exten
 			return this;
 		}
 
-		public AuthorizationEndpointConfig authorizationRequestUriBuilder(AuthorizationRequestUriBuilder authorizationRequestUriBuilder) {
-			Assert.notNull(authorizationRequestUriBuilder, "authorizationRequestUriBuilder cannot be null");
-			this.authorizationRequestUriBuilder = authorizationRequestUriBuilder;
-			return this;
-		}
-
 		public AuthorizationEndpointConfig authorizationRequestRepository(AuthorizationRequestRepository<OAuth2AuthorizationRequest> authorizationRequestRepository) {
 			Assert.notNull(authorizationRequestRepository, "authorizationRequestRepository cannot be null");
 			this.authorizationRequestRepository = authorizationRequestRepository;
@@ -277,10 +269,7 @@ public final class OAuth2LoginConfigurer<B extends HttpSecurityBuilder<B>> exten
 
 		OAuth2AuthorizationRequestRedirectFilter authorizationRequestFilter = new OAuth2AuthorizationRequestRedirectFilter(
 			authorizationRequestBaseUri, this.getClientRegistrationRepository());
-		if (this.authorizationEndpointConfig.authorizationRequestUriBuilder != null) {
-			authorizationRequestFilter.setAuthorizationRequestUriBuilder(
-				this.authorizationEndpointConfig.authorizationRequestUriBuilder);
-		}
+
 		if (this.authorizationEndpointConfig.authorizationRequestRepository != null) {
 			authorizationRequestFilter.setAuthorizationRequestRepository(
 				this.authorizationEndpointConfig.authorizationRequestRepository);

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/AuthorizationRequestUriBuilder.java

@@ -1,46 +0,0 @@
-/*
- * Copyright 2002-2017 the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.springframework.security.oauth2.client.endpoint;
-
-
-import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
-
-import java.net.URI;
-
-/**
- * Implementations of this interface are responsible for building an <i>OAuth 2.0 Authorization Request</i>,
- * which is used as the redirect <code>URI</code> to the <i>Authorization Endpoint</i>.
- *
- * <p>
- * The returned redirect <code>URI</code> will include the following parameters as query components to the
- * <i>Authorization Endpoint</i> (using the &quot;application/x-www-form-urlencoded&quot; format):
- * <ul>
- * <li>client identifier (required)</li>
- * <li>response type (required)</li>
- * <li>requested scope(s) (optional)</li>
- * <li>state (recommended)</li>
- * <li>redirection URI (optional) - the authorization server will send the user-agent back to once access is granted (or denied) by the end-user (resource owner)</li>
- * </ul>
- *
- * @author Joe Grandja
- * @since 5.0
- * @see OAuth2AuthorizationRequest
- * @see <a target="_blank" href="https://tools.ietf.org/html/rfc6749#section-4.1.1">Section 4.1.1 Authorization Request</a>
- */
-public interface AuthorizationRequestUriBuilder {
-
-	URI build(OAuth2AuthorizationRequest authorizationRequest);
-}

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectFilter.java

@@ -18,12 +18,10 @@ package org.springframework.security.oauth2.client.web;
 import org.springframework.http.HttpStatus;
 import org.springframework.security.crypto.keygen.Base64StringKeyGenerator;
 import org.springframework.security.crypto.keygen.StringKeyGenerator;
-import org.springframework.security.oauth2.client.endpoint.OAuth2AuthorizationRequestUriBuilder;
 import org.springframework.security.oauth2.client.registration.ClientRegistration;
 import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
 import org.springframework.security.oauth2.core.AuthorizationGrantType;
 import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
-import org.springframework.security.oauth2.client.endpoint.AuthorizationRequestUriBuilder;
 import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
 import org.springframework.security.web.DefaultRedirectStrategy;
 import org.springframework.security.web.RedirectStrategy;
@@ -47,17 +45,17 @@ import java.util.Map;
  * by redirecting the end-user's user-agent to the authorization server's <i>Authorization Endpoint</i>.
  *
  * <p>
- * It uses an {@link AuthorizationRequestUriBuilder} to build the <i>OAuth 2.0 Authorization Request</i>,
+ * It builds the <i>OAuth 2.0 Authorization Request</i>,
  * which is used as the redirect <code>URI</code> to the <i>Authorization Endpoint</i>.
  * The redirect <code>URI</code> will include the client identifier, requested scope(s), state,
  * response type, and a redirection URI which the authorization server will send the user-agent back to
  * once access is granted (or denied) by the end-user (resource owner).
  *
  * @author Joe Grandja
+ * @author Rob Winch
  * @since 5.0
  * @see OAuth2AuthorizationRequest
  * @see AuthorizationRequestRepository
- * @see AuthorizationRequestUriBuilder
  * @see ClientRegistration
  * @see ClientRegistrationRepository
  * @see <a target="_blank" href="https://tools.ietf.org/html/rfc6749#section-4.1">Section 4.1 Authorization Code Grant</a>
@@ -70,7 +68,7 @@ public class OAuth2AuthorizationRequestRedirectFilter extends OncePerRequestFilt
 	private static final String REGISTRATION_ID_URI_VARIABLE_NAME = "registrationId";
 	private final AntPathRequestMatcher authorizationRequestMatcher;
 	private final ClientRegistrationRepository clientRegistrationRepository;
-	private AuthorizationRequestUriBuilder authorizationRequestUriBuilder = new OAuth2AuthorizationRequestUriBuilder();
+	private final OAuth2AuthorizationRequestUriBuilder authorizationRequestUriBuilder = new OAuth2AuthorizationRequestUriBuilder();
 	private final RedirectStrategy authorizationRedirectStrategy = new DefaultRedirectStrategy();
 	private final StringKeyGenerator stateGenerator = new Base64StringKeyGenerator(Base64.getUrlEncoder());
 	private AuthorizationRequestRepository<OAuth2AuthorizationRequest> authorizationRequestRepository =
@@ -90,11 +88,6 @@ public class OAuth2AuthorizationRequestRedirectFilter extends OncePerRequestFilt
 		this.clientRegistrationRepository = clientRegistrationRepository;
 	}
 
-	public final void setAuthorizationRequestUriBuilder(AuthorizationRequestUriBuilder authorizationRequestUriBuilder) {
-		Assert.notNull(authorizationRequestUriBuilder, "authorizationRequestUriBuilder cannot be null");
-		this.authorizationRequestUriBuilder = authorizationRequestUriBuilder;
-	}
-
 	public final void setAuthorizationRequestRepository(AuthorizationRequestRepository<OAuth2AuthorizationRequest> authorizationRequestRepository) {
 		Assert.notNull(authorizationRequestRepository, "authorizationRequestRepository cannot be null");
 		this.authorizationRequestRepository = authorizationRequestRepository;

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/OAuth2AuthorizationRequestUriBuilder.java → oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestUriBuilder.java

@@ -13,7 +13,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package org.springframework.security.oauth2.client.endpoint;
+package org.springframework.security.oauth2.client.web;
 
 import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
 import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
@@ -24,19 +24,16 @@ import java.net.URI;
 import java.util.Set;
 
 /**
- * The default implementation of an {@link AuthorizationRequestUriBuilder},
- * which internally uses a {@link UriComponentsBuilder} to construct the <i>OAuth 2.0 Authorization Request</i>.
+ * Uses a {@link UriComponentsBuilder} to construct the <i>OAuth 2.0 Authorization Request</i>.
  *
  * @author Joe Grandja
  * @since 5.0
- * @see AuthorizationRequestUriBuilder
  * @see OAuth2AuthorizationRequest
  * @see <a target="_blank" href="https://tools.ietf.org/html/rfc6749#section-4.1.1">Section 4.1.1 Authorization Code Grant Request</a>
  * @see <a target="_blank" href="https://tools.ietf.org/html/rfc6749#section-4.2.1">Section 4.2.1 Implicit Grant Request</a>
  */
-public class OAuth2AuthorizationRequestUriBuilder implements AuthorizationRequestUriBuilder {
+class OAuth2AuthorizationRequestUriBuilder {
 
-	@Override
 	public URI build(OAuth2AuthorizationRequest authorizationRequest) {
 		Set<String> scopes = authorizationRequest.getScopes();
 		UriComponentsBuilder uriBuilder = UriComponentsBuilder

oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectFilterTests.java

@@ -24,7 +24,6 @@ import org.springframework.mock.web.MockHttpServletResponse;
 import org.springframework.security.oauth2.client.registration.ClientRegistration;
 import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
 import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
-import org.springframework.security.oauth2.client.endpoint.AuthorizationRequestUriBuilder;
 
 import javax.servlet.FilterChain;
 import javax.servlet.http.HttpServletRequest;
@@ -78,7 +77,7 @@ public class OAuth2AuthorizationRequestRedirectFilterTests {
 
 		Mockito.verifyZeroInteractions(filterChain);        // Request should not proceed up the chain
 
-		Assertions.assertThat(response.getRedirectedUrl()).isEqualTo(authorizationUri);
+		Assertions.assertThat(response.getRedirectedUrl()).matches("https://accounts.google.com/o/oauth2/auth\\?response_type=code&client_id=google-client-id&scope=openid%20email%20profile&state=.{15,}&redirect_uri=https://localhost:8080/login/oauth2/code/google");
 	}
 
 	@Test
@@ -117,21 +116,8 @@ public class OAuth2AuthorizationRequestRedirectFilterTests {
 
 	private OAuth2AuthorizationRequestRedirectFilter setupFilter(String authorizationUri,
 																	ClientRegistration... clientRegistrations) throws Exception {
-
-		AuthorizationRequestUriBuilder authorizationUriBuilder = Mockito.mock(AuthorizationRequestUriBuilder.class);
-		URI authorizationURI = new URI(authorizationUri);
-		Mockito.when(authorizationUriBuilder.build(Matchers.any(OAuth2AuthorizationRequest.class))).thenReturn(authorizationURI);
-
-		return setupFilter(authorizationUriBuilder, clientRegistrations);
-	}
-
-	private OAuth2AuthorizationRequestRedirectFilter setupFilter(AuthorizationRequestUriBuilder authorizationUriBuilder,
-																	ClientRegistration... clientRegistrations) throws Exception {
-
 		ClientRegistrationRepository clientRegistrationRepository = TestUtil.clientRegistrationRepository(clientRegistrations);
 		OAuth2AuthorizationRequestRedirectFilter filter = new OAuth2AuthorizationRequestRedirectFilter(clientRegistrationRepository);
-		filter.setAuthorizationRequestUriBuilder(authorizationUriBuilder);
-
 		return filter;
 	}
 }

oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/endpoint/OAuth2AuthorizationRequestUriBuilderTests.java → oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestUriBuilderTests.java

@@ -14,9 +14,10 @@
  * limitations under the License.
  */
 
-package org.springframework.security.oauth2.client.endpoint;
+package org.springframework.security.oauth2.client.web;
 
 import org.junit.Test;
+import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestUriBuilder;
 import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
 
 import java.net.URI;