Skip to content

Commit d7f7e9d

Browse files
jzheauxjzheaux
committed
Add Jwt to BearerTokenAuthentication Converter
Fixes gh-7346
1 parent 068f4f0 commit d7f7e9d

File tree

2 files changed

+143
-0
lines changed

2 files changed

+143
-0
lines changed

oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/JwtBearerTokenAuthenticationConverter.java

Lines changed: 58 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,58 @@
1+
/*
2+
* Copyright 2002-2019 the original author or authors.
3+
*
4+
* Licensed under the Apache License, Version 2.0 (the "License");
5+
* you may not use this file except in compliance with the License.
6+
* You may obtain a copy of the License at
7+
*
8+
* https://www.apache.org/licenses/LICENSE-2.0
9+
*
10+
* Unless required by applicable law or agreed to in writing, software
11+
* distributed under the License is distributed on an "AS IS" BASIS,
12+
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13+
* See the License for the specific language governing permissions and
14+
* limitations under the License.
15+
*/
16+
17+
package org.springframework.security.oauth2.server.resource.authentication;
18+
19+
import java.util.Collection;
20+
import java.util.Map;
21+
22+
import org.springframework.core.convert.converter.Converter;
23+
import org.springframework.security.authentication.AbstractAuthenticationToken;
24+
import org.springframework.security.core.GrantedAuthority;
25+
import org.springframework.security.oauth2.core.DefaultOAuth2AuthenticatedPrincipal;
26+
import org.springframework.security.oauth2.core.OAuth2AccessToken;
27+
import org.springframework.security.oauth2.core.OAuth2AuthenticatedPrincipal;
28+
import org.springframework.security.oauth2.jwt.Jwt;
29+
30+
/**
31+
* A {@link Converter} that takes a {@link Jwt} and converts it into a {@link BearerTokenAuthentication}.
32+
*
33+
* In the process, it will attempt to parse either the "scope" or "scp" attribute, whichever it finds first.
34+
*
35+
* It's not intended that this implementation be configured since it is simply an adapter. If you are using,
36+
* for example, a custom {@link JwtGrantedAuthoritiesConverter}, then it's recommended that you simply
37+
* create your own {@link Converter} that delegates to your custom {@link JwtGrantedAuthoritiesConverter}
38+
* and instantiates the appropriate {@link BearerTokenAuthentication}.
39+
*
40+
* @author Josh Cummings
41+
* @since 5.2
42+
*/
43+
public final class JwtBearerTokenAuthenticationConverter implements Converter<Jwt, AbstractAuthenticationToken> {
44+
private final JwtAuthenticationConverter jwtAuthenticationConverter = new JwtAuthenticationConverter();
45+
46+
@Override
47+
public AbstractAuthenticationToken convert(Jwt jwt) {
48+
OAuth2AccessToken accessToken = new OAuth2AccessToken(
49+
OAuth2AccessToken.TokenType.BEARER, jwt.getTokenValue(), jwt.getIssuedAt(), jwt.getExpiresAt());
50+
Map<String, Object> attributes = jwt.getClaims();
51+
52+
AbstractAuthenticationToken token = this.jwtAuthenticationConverter.convert(jwt);
53+
Collection<GrantedAuthority> authorities = token.getAuthorities();
54+
55+
OAuth2AuthenticatedPrincipal principal = new DefaultOAuth2AuthenticatedPrincipal(attributes, authorities);
56+
return new BearerTokenAuthentication(principal, accessToken, authorities);
57+
}
58+
}

oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/authentication/JwtBearerTokenAuthenticationConverterTests.java

Lines changed: 85 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,85 @@
1+
/*
2+
* Copyright 2002-2019 the original author or authors.
3+
*
4+
* Licensed under the Apache License, Version 2.0 (the "License");
5+
* you may not use this file except in compliance with the License.
6+
* You may obtain a copy of the License at
7+
*
8+
* https://www.apache.org/licenses/LICENSE-2.0
9+
*
10+
* Unless required by applicable law or agreed to in writing, software
11+
* distributed under the License is distributed on an "AS IS" BASIS,
12+
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13+
* See the License for the specific language governing permissions and
14+
* limitations under the License.
15+
*/
16+
17+
package org.springframework.security.oauth2.server.resource.authentication;
18+
19+
import java.util.Arrays;
20+
21+
import org.junit.Test;
22+
23+
import org.springframework.security.authentication.AbstractAuthenticationToken;
24+
import org.springframework.security.core.authority.SimpleGrantedAuthority;
25+
import org.springframework.security.oauth2.jwt.Jwt;
26+
27+
import static org.assertj.core.api.Assertions.assertThat;
28+
29+
/**
30+
* Tests for {@link JwtBearerTokenAuthenticationConverter}
31+
*
32+
* @author Josh Cummings
33+
*/
34+
public class JwtBearerTokenAuthenticationConverterTests {
35+
private final JwtBearerTokenAuthenticationConverter converter =
36+
new JwtBearerTokenAuthenticationConverter();
37+
38+
@Test
39+
public void convertWhenJwtThenBearerTokenAuthentication() {
40+
Jwt jwt = Jwt.withTokenValue("token-value")
41+
.claim("claim", "value")
42+
.header("header", "value")
43+
.build();
44+
45+
AbstractAuthenticationToken token = this.converter.convert(jwt);
46+
47+
assertThat(token).isInstanceOf(BearerTokenAuthentication.class);
48+
BearerTokenAuthentication bearerToken = (BearerTokenAuthentication) token;
49+
assertThat(bearerToken.getToken().getTokenValue()).isEqualTo("token-value");
50+
assertThat(bearerToken.getTokenAttributes()).containsOnlyKeys("claim");
51+
assertThat(bearerToken.getAuthorities()).isEmpty();
52+
}
53+
54+
@Test
55+
public void convertWhenJwtWithScopeAttributeThenBearerTokenAuthentication() {
56+
Jwt jwt = Jwt.withTokenValue("token-value")
57+
.claim("scope", "message:read message:write")
58+
.header("header", "value")
59+
.build();
60+
61+
AbstractAuthenticationToken token = this.converter.convert(jwt);
62+
63+
assertThat(token).isInstanceOf(BearerTokenAuthentication.class);
64+
BearerTokenAuthentication bearerToken = (BearerTokenAuthentication) token;
65+
assertThat(bearerToken.getAuthorities())
66+
.containsExactly(new SimpleGrantedAuthority("SCOPE_message:read"),
67+
new SimpleGrantedAuthority("SCOPE_message:write"));
68+
}
69+
70+
@Test
71+
public void convertWhenJwtWithScpAttributeThenBearerTokenAuthentication() {
72+
Jwt jwt = Jwt.withTokenValue("token-value")
73+
.claim("scp", Arrays.asList("message:read", "message:write"))
74+
.header("header", "value")
75+
.build();
76+
77+
AbstractAuthenticationToken token = this.converter.convert(jwt);
78+
79+
assertThat(token).isInstanceOf(BearerTokenAuthentication.class);
80+
BearerTokenAuthentication bearerToken = (BearerTokenAuthentication) token;
81+
assertThat(bearerToken.getAuthorities())
82+
.containsExactly(new SimpleGrantedAuthority("SCOPE_message:read"),
83+
new SimpleGrantedAuthority("SCOPE_message:write"));
84+
}
85+
}

0 commit comments

Comments
 (0)