-
Notifications
You must be signed in to change notification settings - Fork 6.1k
Introduce OAuth2AuthorizedClient Manager/Provider #6845
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Closed
jgrandja
wants to merge
19
commits into
spring-projects:master
from
jgrandja:gh-6811-webclient-ext-reuse
Closed
Changes from all commits
Commits
Show all changes
19 commits
Select commit
Hold shift + click to select a range
4114e82
Introduce OAuth2AuthorizedClientProvider
jgrandja 12d207a
Add authorization_code OAuth2AuthorizedClientProvider
jgrandja c84990b
Add client_credentials OAuth2AuthorizedClientProvider
jgrandja e3875ed
Add refresh_token OAuth2AccessTokenResponseClient
jgrandja c100e62
Add refresh_token OAuth2AuthorizedClientProvider
jgrandja 22d43b9
Add delegating OAuth2AuthorizedClientProvider
jgrandja 7303821
Refactor and use OAuth2AuthorizedClientProvider implementations
jgrandja eef15bc
Simplify population of OAuth2AuthorizationContext
jgrandja 2269d09
Rename methods in OAuth2AuthorizationContext
jgrandja dd6c5b0
OAuth2AuthorizedClientProvider should not save OAuth2AuthorizedClient
jgrandja 21d8528
Revert "OAuth2AuthorizedClientProvider should not save OAuth2Authoriz…
jgrandja f9fc7d3
OAuth2AuthorizedClientProvider implementations load/save OAuth2Author…
jgrandja 8f046db
Introduce OAuth2AuthorizedClientManager
jgrandja 3eaa30f
Update OAuth2AuthorizedClientManager from review
jgrandja 468b929
Polish
jgrandja 0fcbc6c
Fix package tangles
jgrandja b0eff46
Updates from review
jgrandja 18285e5
Remove deprecation in ServletOAuth2AuthorizedClientExchangeFilterFunc…
jgrandja ac82955
Remove OAuth2AuthorizedClientManager.reauthorize()
jgrandja File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
54 changes: 54 additions & 0 deletions
54
...ringframework/security/oauth2/client/AuthorizationCodeOAuth2AuthorizedClientProvider.java
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,54 @@ | ||
| /* | ||
| * Copyright 2002-2019 the original author or authors. | ||
| * | ||
| * Licensed under the Apache License, Version 2.0 (the "License"); | ||
| * you may not use this file except in compliance with the License. | ||
| * You may obtain a copy of the License at | ||
| * | ||
| * https://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, software | ||
| * distributed under the License is distributed on an "AS IS" BASIS, | ||
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| * See the License for the specific language governing permissions and | ||
| * limitations under the License. | ||
| */ | ||
| package org.springframework.security.oauth2.client; | ||
|
|
||
| import org.springframework.lang.Nullable; | ||
| import org.springframework.security.oauth2.client.registration.ClientRegistration; | ||
| import org.springframework.security.oauth2.core.AuthorizationGrantType; | ||
| import org.springframework.util.Assert; | ||
|
|
||
| /** | ||
| * An implementation of an {@link OAuth2AuthorizedClientProvider} | ||
| * for the {@link AuthorizationGrantType#AUTHORIZATION_CODE authorization_code} grant. | ||
| * | ||
| * @author Joe Grandja | ||
| * @since 5.2 | ||
| * @see OAuth2AuthorizedClientProvider | ||
| */ | ||
| public final class AuthorizationCodeOAuth2AuthorizedClientProvider implements OAuth2AuthorizedClientProvider { | ||
|
|
||
| /** | ||
| * Attempt to authorize the {@link OAuth2AuthorizationContext#getClientRegistration() client} in the provided {@code context}. | ||
| * Returns {@code null} if authorization is not supported, | ||
| * e.g. the client's {@link ClientRegistration#getAuthorizationGrantType() authorization grant type} | ||
| * is not {@link AuthorizationGrantType#AUTHORIZATION_CODE authorization_code} OR the client is already authorized. | ||
| * | ||
| * @param context the context that holds authorization-specific state for the client | ||
| * @return the {@link OAuth2AuthorizedClient} or {@code null} if authorization is not supported | ||
| */ | ||
| @Override | ||
| @Nullable | ||
| public OAuth2AuthorizedClient authorize(OAuth2AuthorizationContext context) { | ||
| Assert.notNull(context, "context cannot be null"); | ||
|
|
||
| if (AuthorizationGrantType.AUTHORIZATION_CODE.equals(context.getClientRegistration().getAuthorizationGrantType()) && | ||
| context.getAuthorizedClient() == null) { | ||
| // ClientAuthorizationRequiredException is caught by OAuth2AuthorizationRequestRedirectFilter which initiates authorization | ||
| throw new ClientAuthorizationRequiredException(context.getClientRegistration().getRegistrationId()); | ||
| } | ||
| return null; | ||
| } | ||
| } |
112 changes: 112 additions & 0 deletions
112
...ringframework/security/oauth2/client/ClientCredentialsOAuth2AuthorizedClientProvider.java
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,112 @@ | ||
| /* | ||
| * Copyright 2002-2019 the original author or authors. | ||
| * | ||
| * Licensed under the Apache License, Version 2.0 (the "License"); | ||
| * you may not use this file except in compliance with the License. | ||
| * You may obtain a copy of the License at | ||
| * | ||
| * https://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, software | ||
| * distributed under the License is distributed on an "AS IS" BASIS, | ||
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| * See the License for the specific language governing permissions and | ||
| * limitations under the License. | ||
| */ | ||
| package org.springframework.security.oauth2.client; | ||
|
|
||
| import org.springframework.lang.Nullable; | ||
| import org.springframework.security.oauth2.client.endpoint.DefaultClientCredentialsTokenResponseClient; | ||
| import org.springframework.security.oauth2.client.endpoint.OAuth2AccessTokenResponseClient; | ||
| import org.springframework.security.oauth2.client.endpoint.OAuth2ClientCredentialsGrantRequest; | ||
| import org.springframework.security.oauth2.client.registration.ClientRegistration; | ||
| import org.springframework.security.oauth2.core.AbstractOAuth2Token; | ||
| import org.springframework.security.oauth2.core.AuthorizationGrantType; | ||
| import org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse; | ||
| import org.springframework.util.Assert; | ||
|
|
||
| import java.time.Duration; | ||
| import java.time.Instant; | ||
|
|
||
| /** | ||
| * An implementation of an {@link OAuth2AuthorizedClientProvider} | ||
| * for the {@link AuthorizationGrantType#CLIENT_CREDENTIALS client_credentials} grant. | ||
| * | ||
| * @author Joe Grandja | ||
| * @since 5.2 | ||
| * @see OAuth2AuthorizedClientProvider | ||
| * @see DefaultClientCredentialsTokenResponseClient | ||
| */ | ||
| public final class ClientCredentialsOAuth2AuthorizedClientProvider implements OAuth2AuthorizedClientProvider { | ||
| private OAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest> accessTokenResponseClient = | ||
| new DefaultClientCredentialsTokenResponseClient(); | ||
| private Duration clockSkew = Duration.ofSeconds(60); | ||
|
|
||
| /** | ||
| * Attempt to authorize (or re-authorize) the {@link OAuth2AuthorizationContext#getClientRegistration() client} in the provided {@code context}. | ||
| * Returns {@code null} if authorization (or re-authorization) is not supported, | ||
| * e.g. the client's {@link ClientRegistration#getAuthorizationGrantType() authorization grant type} | ||
| * is not {@link AuthorizationGrantType#CLIENT_CREDENTIALS client_credentials} OR | ||
| * the {@link OAuth2AuthorizedClient#getAccessToken() access token} is not expired. | ||
| * | ||
| * @param context the context that holds authorization-specific state for the client | ||
| * @return the {@link OAuth2AuthorizedClient} or {@code null} if authorization (or re-authorization) is not supported | ||
| */ | ||
| @Override | ||
| @Nullable | ||
| public OAuth2AuthorizedClient authorize(OAuth2AuthorizationContext context) { | ||
| Assert.notNull(context, "context cannot be null"); | ||
|
|
||
| ClientRegistration clientRegistration = context.getClientRegistration(); | ||
| if (!AuthorizationGrantType.CLIENT_CREDENTIALS.equals(clientRegistration.getAuthorizationGrantType())) { | ||
| return null; | ||
| } | ||
|
|
||
| OAuth2AuthorizedClient authorizedClient = context.getAuthorizedClient(); | ||
| if (authorizedClient != null && !hasTokenExpired(authorizedClient.getAccessToken())) { | ||
| // If client is already authorized but access token is NOT expired than no need for re-authorization | ||
| return null; | ||
| } | ||
|
|
||
| // As per spec, in section 4.4.3 Access Token Response | ||
| // https://tools.ietf.org/html/rfc6749#section-4.4.3 | ||
| // A refresh token SHOULD NOT be included. | ||
| // | ||
| // Therefore, renewing an expired access token (re-authorization) | ||
| // is the same as acquiring a new access token (authorization). | ||
|
|
||
| OAuth2ClientCredentialsGrantRequest clientCredentialsGrantRequest = | ||
| new OAuth2ClientCredentialsGrantRequest(clientRegistration); | ||
| OAuth2AccessTokenResponse tokenResponse = | ||
| this.accessTokenResponseClient.getTokenResponse(clientCredentialsGrantRequest); | ||
|
|
||
| return new OAuth2AuthorizedClient(clientRegistration, context.getPrincipal().getName(), tokenResponse.getAccessToken()); | ||
| } | ||
|
|
||
| private boolean hasTokenExpired(AbstractOAuth2Token token) { | ||
| return token.getExpiresAt().isBefore(Instant.now().minus(this.clockSkew)); | ||
| } | ||
|
|
||
| /** | ||
| * Sets the client used when requesting an access token credential at the Token Endpoint for the {@code client_credentials} grant. | ||
| * | ||
| * @param accessTokenResponseClient the client used when requesting an access token credential at the Token Endpoint for the {@code client_credentials} grant | ||
| */ | ||
| public void setAccessTokenResponseClient(OAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest> accessTokenResponseClient) { | ||
| Assert.notNull(accessTokenResponseClient, "accessTokenResponseClient cannot be null"); | ||
| this.accessTokenResponseClient = accessTokenResponseClient; | ||
| } | ||
|
|
||
| /** | ||
| * Sets the maximum acceptable clock skew, which is used when checking the | ||
| * {@link OAuth2AuthorizedClient#getAccessToken() access token} expiry. The default is 60 seconds. | ||
| * An access token is considered expired if it's before {@code Instant.now() - clockSkew}. | ||
| * | ||
| * @param clockSkew the maximum acceptable clock skew | ||
| */ | ||
| public void setClockSkew(Duration clockSkew) { | ||
| Assert.notNull(clockSkew, "clockSkew cannot be null"); | ||
| Assert.isTrue(clockSkew.getSeconds() >= 0, "clockSkew must be >= 0"); | ||
| this.clockSkew = clockSkew; | ||
| } | ||
| } | ||
73 changes: 73 additions & 0 deletions
73
.../org/springframework/security/oauth2/client/DelegatingOAuth2AuthorizedClientProvider.java
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,73 @@ | ||
| /* | ||
| * Copyright 2002-2019 the original author or authors. | ||
| * | ||
| * Licensed under the Apache License, Version 2.0 (the "License"); | ||
| * you may not use this file except in compliance with the License. | ||
| * You may obtain a copy of the License at | ||
| * | ||
| * https://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, software | ||
| * distributed under the License is distributed on an "AS IS" BASIS, | ||
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| * See the License for the specific language governing permissions and | ||
| * limitations under the License. | ||
| */ | ||
| package org.springframework.security.oauth2.client; | ||
|
|
||
| import org.springframework.lang.Nullable; | ||
| import org.springframework.util.Assert; | ||
|
|
||
| import java.util.ArrayList; | ||
| import java.util.Arrays; | ||
| import java.util.Collections; | ||
| import java.util.List; | ||
| import java.util.Objects; | ||
|
|
||
| /** | ||
| * An implementation of an {@link OAuth2AuthorizedClientProvider} that simply delegates | ||
| * to it's internal {@code List} of {@link OAuth2AuthorizedClientProvider}(s). | ||
| * <p> | ||
| * Each provider is given a chance to | ||
| * {@link OAuth2AuthorizedClientProvider#authorize(OAuth2AuthorizationContext) authorize} | ||
| * the {@link OAuth2AuthorizationContext#getClientRegistration() client} in the provided context | ||
| * with the first {@code non-null} {@link OAuth2AuthorizedClient} being returned. | ||
| * | ||
| * @author Joe Grandja | ||
| * @since 5.2 | ||
| * @see OAuth2AuthorizedClientProvider | ||
| */ | ||
| public final class DelegatingOAuth2AuthorizedClientProvider implements OAuth2AuthorizedClientProvider { | ||
| private final List<OAuth2AuthorizedClientProvider> authorizedClientProviders; | ||
|
|
||
| /** | ||
| * Constructs a {@code DelegatingOAuth2AuthorizedClientProvider} using the provided parameters. | ||
| * | ||
| * @param authorizedClientProviders a list of {@link OAuth2AuthorizedClientProvider}(s) | ||
| */ | ||
| public DelegatingOAuth2AuthorizedClientProvider(OAuth2AuthorizedClientProvider... authorizedClientProviders) { | ||
| Assert.notEmpty(authorizedClientProviders, "authorizedClientProviders cannot be empty"); | ||
| this.authorizedClientProviders = Collections.unmodifiableList(Arrays.asList(authorizedClientProviders)); | ||
| } | ||
|
|
||
| /** | ||
| * Constructs a {@code DelegatingOAuth2AuthorizedClientProvider} using the provided parameters. | ||
| * | ||
| * @param authorizedClientProviders a {@code List} of {@link OAuth2AuthorizedClientProvider}(s) | ||
| */ | ||
| public DelegatingOAuth2AuthorizedClientProvider(List<OAuth2AuthorizedClientProvider> authorizedClientProviders) { | ||
| Assert.notEmpty(authorizedClientProviders, "authorizedClientProviders cannot be empty"); | ||
| this.authorizedClientProviders = Collections.unmodifiableList(new ArrayList<>(authorizedClientProviders)); | ||
| } | ||
|
|
||
| @Override | ||
| @Nullable | ||
| public OAuth2AuthorizedClient authorize(OAuth2AuthorizationContext context) { | ||
| Assert.notNull(context, "context cannot be null"); | ||
| return this.authorizedClientProviders.stream() | ||
| .map(authorizedClientProvider -> authorizedClientProvider.authorize(context)) | ||
| .filter(Objects::nonNull) | ||
| .findFirst() | ||
| .orElse(null); | ||
| } | ||
| } |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.