Inicio Explorar Axuda
Rexistro Iniciar sesión
github
/
spring-security
réplica de https://github.com/spring-projects/spring-security
2
0
Fork 0
Ficheiros Incidencias 0 Wiki
Explorar o código

Extract OidcUserRequestUtils

This logic is shared by both reactive and non-reactive clients.

Issue: gh-5330
Rob Winch %!s(int64=7) %!d(string=hai) anos
pai
4d1c8f26c5
achega
adb8c60173
Modificáronse 2 ficheiros con 159 adicións e 0 borrados
Dividir vista Mostrar estatísticas de Diff
  1. 70 0
      oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/userinfo/OidcUserRequestUtils.java
  2. 89 0
      oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/oidc/userinfo/OidcUserRequestUtilsTests.java

+ 70 - 0
oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/userinfo/OidcUserRequestUtils.java
Ver ficheiro 

@@ -0,0 +1,70 @@
 
+/*
 
+ * Copyright 2002-2018 the original author or authors.
 
+ *
 
+ * Licensed under the Apache License, Version 2.0 (the "License");
 
+ * you may not use this file except in compliance with the License.
 
+ * You may obtain a copy of the License at
 
+ *
 
+ *      http://www.apache.org/licenses/LICENSE-2.0
 
+ *
 
+ * Unless required by applicable law or agreed to in writing, software
 
+ * distributed under the License is distributed on an "AS IS" BASIS,
 
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 
+ * See the License for the specific language governing permissions and
 
+ * limitations under the License.
 
+ */
 
+
 
+package org.springframework.security.oauth2.client.oidc.userinfo;
 
+
 
+import org.springframework.security.oauth2.client.registration.ClientRegistration;
 
+import org.springframework.security.oauth2.core.AuthorizationGrantType;
 
+import org.springframework.util.CollectionUtils;
 
+import org.springframework.util.StringUtils;
 
+
 
+/**
 
+ * Utilities for working with the {@link OidcUserRequest}
 
+ *
 
+ * @author Rob Winch
 
+ * @since 5.1
 
+ */
 
+final class OidcUserRequestUtils {
 
+
 
+	/**
 
+	 * Determines if an {@link OidcUserRequest} should attempt to retrieve the user info endpoint. Will return true if
 
+	 * all of the following are true:
 
+	 *
 
+	 * <ul>
 
+	 *     <li>The user info endpoint is defined on the ClientRegistration</li>
 
+	 *     <li>The Client Registration uses the {@link AuthorizationGrantType#AUTHORIZATION_CODE} and scopes in the
 
+	 *       access token are defined in the {@link ClientRegistration}</li>
 
+	 * </ul>
 
+	 * @param userRequest
 
+	 * @return
 
+	 */
 
+	static boolean shouldRetrieveUserInfo(OidcUserRequest userRequest) {
 
+		// Auto-disabled if UserInfo Endpoint URI is not provided
 
+		ClientRegistration clientRegistration = userRequest.getClientRegistration();
 
+		if (StringUtils.isEmpty(clientRegistration.getProviderDetails()
 
+				.getUserInfoEndpoint().getUri())) {
 
+
 
+			return false;
 
+		}
 
+
 
+		// The Claims requested by the profile, email, address, and phone scope values
 
+		// are returned from the UserInfo Endpoint (as described in Section 5.3.2),
 
+		// when a response_type value is used that results in an Access Token being issued.
 
+		// However, when no Access Token is issued, which is the case for the response_type=id_token,
 
+		// the resulting Claims are returned in the ID Token.
 
+		// The Authorization Code Grant Flow, which is response_type=code, results in an Access Token being issued.
 
+		if (AuthorizationGrantType.AUTHORIZATION_CODE.equals(clientRegistration.getAuthorizationGrantType())) {
 
+
 
+			// Return true if there is at least one match between the authorized scope(s) and UserInfo scope(s)
 
+			return CollectionUtils
 
+					.containsAny(userRequest.getAccessToken().getScopes(), userRequest.getClientRegistration().getScopes());
 
+		}
 
+
 
+		return false;
 
+	}
 
+
 
+	private OidcUserRequestUtils() {}
 
+}

+ 89 - 0
oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/oidc/userinfo/OidcUserRequestUtilsTests.java
Ver ficheiro 

@@ -0,0 +1,89 @@
 
+/*
 
+ * Copyright 2002-2018 the original author or authors.
 
+ *
 
+ * Licensed under the Apache License, Version 2.0 (the "License");
 
+ * you may not use this file except in compliance with the License.
 
+ * You may obtain a copy of the License at
 
+ *
 
+ *      http://www.apache.org/licenses/LICENSE-2.0
 
+ *
 
+ * Unless required by applicable law or agreed to in writing, software
 
+ * distributed under the License is distributed on an "AS IS" BASIS,
 
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 
+ * See the License for the specific language governing permissions and
 
+ * limitations under the License.
 
+ */
 
+
 
+package org.springframework.security.oauth2.client.oidc.userinfo;
 
+
 
+import org.junit.Test;
 
+import org.springframework.security.oauth2.client.registration.ClientRegistration;
 
+import org.springframework.security.oauth2.core.AuthorizationGrantType;
 
+import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
 
+import org.springframework.security.oauth2.core.OAuth2AccessToken;
 
+import org.springframework.security.oauth2.core.oidc.IdTokenClaimNames;
 
+import org.springframework.security.oauth2.core.oidc.OidcIdToken;
 
+
 
+import java.time.Duration;
 
+import java.time.Instant;
 
+import java.util.Collections;
 
+
 
+import static org.assertj.core.api.Assertions.*;
 
+
 
+/**
 
+ * @author Rob Winch
 
+ * @since 5.1
 
+ */
 
+public class OidcUserRequestUtilsTests {
 
+	private ClientRegistration.Builder registration = ClientRegistration.withRegistrationId("id")
 
+			.clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
 
+			.authorizationUri("https://example.com/oauth2/authorize")
 
+			.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
 
+			.userInfoUri("https://example.com/users/me")
 
+			.clientId("client-id")
 
+			.clientName("client-name")
 
+			.clientSecret("client-secret")
 
+			.redirectUriTemplate("{baseUrl}/login/oauth2/code/{registrationId}")
 
+			.scope("user")
 
+			.tokenUri("https://example.com/oauth/access_token");
 
+
 
+	OidcIdToken idToken = new OidcIdToken("token123", Instant.now(),
 
+			Instant.now().plusSeconds(3600), Collections
 
+			.singletonMap(IdTokenClaimNames.SUB, "sub123"));
 
+
 
+	OAuth2AccessToken accessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER,
 
+			"token",
 
+			Instant.now(),
 
+			Instant.now().plus(Duration.ofDays(1)),
 
+			Collections.singleton("user"));
 
+
 
+	@Test
 
+	public void shouldRetrieveUserInfoWhenEndpointDefinedAndScopesOverlapThenTrue() {
 
+		assertThat(OidcUserRequestUtils.shouldRetrieveUserInfo(userRequest())).isTrue();
 
+	}
 
+
 
+	@Test
 
+	public void shouldRetrieveUserInfoWhenNoUserInfoUriThenFalse() {
 
+		this.registration.userInfoUri(null);
 
+
 
+		assertThat(OidcUserRequestUtils.shouldRetrieveUserInfo(userRequest())).isFalse();
 
+	}
 
+
 
+	@Test
 
+	public void shouldRetrieveUserInfoWhenDifferentScopesThenFalse() {
 
+		this.registration.scope("notintoken");
 
+
 
+		assertThat(OidcUserRequestUtils.shouldRetrieveUserInfo(userRequest())).isFalse();
 
+	}
 
+
 
+	@Test
 
+	public void shouldRetrieveUserInfoWhenNotAuthorizationCodeThenFalse() {
 
+		this.registration.authorizationGrantType(AuthorizationGrantType.IMPLICIT);
 
+
 
+		assertThat(OidcUserRequestUtils.shouldRetrieveUserInfo(userRequest())).isFalse();
 
+	}
 
+
 
+	private OidcUserRequest userRequest() {
 
+		return new OidcUserRequest(this.registration.build(), this.accessToken, this.idToken);
 
+	}
 
+}