-
Notifications
You must be signed in to change notification settings - Fork 6.1k
Introduce OAuth2AuthorizedClient Manager/Provider #6845
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Closed
jgrandja
wants to merge
19
commits into
spring-projects:master
from
jgrandja:gh-6811-webclient-ext-reuse
Closed
Changes from 12 commits
Commits
Show all changes
19 commits
Select commit
Hold shift + click to select a range
4114e82
Introduce OAuth2AuthorizedClientProvider
jgrandja 12d207a
Add authorization_code OAuth2AuthorizedClientProvider
jgrandja c84990b
Add client_credentials OAuth2AuthorizedClientProvider
jgrandja e3875ed
Add refresh_token OAuth2AccessTokenResponseClient
jgrandja c100e62
Add refresh_token OAuth2AuthorizedClientProvider
jgrandja 22d43b9
Add delegating OAuth2AuthorizedClientProvider
jgrandja 7303821
Refactor and use OAuth2AuthorizedClientProvider implementations
jgrandja eef15bc
Simplify population of OAuth2AuthorizationContext
jgrandja 2269d09
Rename methods in OAuth2AuthorizationContext
jgrandja dd6c5b0
OAuth2AuthorizedClientProvider should not save OAuth2AuthorizedClient
jgrandja 21d8528
Revert "OAuth2AuthorizedClientProvider should not save OAuth2Authoriz…
jgrandja f9fc7d3
OAuth2AuthorizedClientProvider implementations load/save OAuth2Author…
jgrandja 8f046db
Introduce OAuth2AuthorizedClientManager
jgrandja 3eaa30f
Update OAuth2AuthorizedClientManager from review
jgrandja 468b929
Polish
jgrandja 0fcbc6c
Fix package tangles
jgrandja b0eff46
Updates from review
jgrandja 18285e5
Remove deprecation in ServletOAuth2AuthorizedClientExchangeFilterFunc…
jgrandja ac82955
Remove OAuth2AuthorizedClientManager.reauthorize()
jgrandja File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
99 changes: 99 additions & 0 deletions
99
...ringframework/security/oauth2/client/AuthorizationCodeOAuth2AuthorizedClientProvider.java
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,99 @@ | ||
| /* | ||
| * Copyright 2002-2019 the original author or authors. | ||
| * | ||
| * Licensed under the Apache License, Version 2.0 (the "License"); | ||
| * you may not use this file except in compliance with the License. | ||
| * You may obtain a copy of the License at | ||
| * | ||
| * https://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, software | ||
| * distributed under the License is distributed on an "AS IS" BASIS, | ||
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| * See the License for the specific language governing permissions and | ||
| * limitations under the License. | ||
| */ | ||
| package org.springframework.security.oauth2.client; | ||
|
|
||
| import org.springframework.lang.Nullable; | ||
| import org.springframework.security.oauth2.client.registration.ClientRegistration; | ||
| import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository; | ||
| import org.springframework.security.oauth2.client.web.OAuth2AuthorizedClientRepository; | ||
| import org.springframework.security.oauth2.core.AuthorizationGrantType; | ||
| import org.springframework.util.Assert; | ||
|
|
||
| import javax.servlet.http.HttpServletRequest; | ||
| import javax.servlet.http.HttpServletResponse; | ||
|
|
||
| /** | ||
| * An implementation of an {@link OAuth2AuthorizedClientProvider} | ||
| * for the {@link AuthorizationGrantType#AUTHORIZATION_CODE authorization_code} grant. | ||
| * | ||
| * @author Joe Grandja | ||
| * @since 5.2 | ||
| * @see OAuth2AuthorizedClientProvider | ||
| */ | ||
| public final class AuthorizationCodeOAuth2AuthorizedClientProvider implements OAuth2AuthorizedClientProvider { | ||
| private static final String HTTP_SERVLET_REQUEST_ATTRIBUTE_NAME = HttpServletRequest.class.getName(); | ||
| private static final String HTTP_SERVLET_RESPONSE_ATTRIBUTE_NAME = HttpServletResponse.class.getName(); | ||
| private final ClientRegistrationRepository clientRegistrationRepository; | ||
| private final OAuth2AuthorizedClientRepository authorizedClientRepository; | ||
|
|
||
| /** | ||
| * Constructs an {@code AuthorizationCodeOAuth2AuthorizedClientProvider} using the provided parameters. | ||
| * | ||
| * @param clientRegistrationRepository the repository of client registrations | ||
| * @param authorizedClientRepository the repository of authorized clients | ||
| */ | ||
| public AuthorizationCodeOAuth2AuthorizedClientProvider(ClientRegistrationRepository clientRegistrationRepository, | ||
| OAuth2AuthorizedClientRepository authorizedClientRepository) { | ||
| Assert.notNull(clientRegistrationRepository, "clientRegistrationRepository cannot be null"); | ||
| Assert.notNull(authorizedClientRepository, "authorizedClientRepository cannot be null"); | ||
| this.clientRegistrationRepository = clientRegistrationRepository; | ||
| this.authorizedClientRepository = authorizedClientRepository; | ||
| } | ||
|
|
||
| /** | ||
| * Attempt to authorize the {@link OAuth2AuthorizationContext#getClientRegistrationId() client} in the provided {@code context}. | ||
| * Returns {@code null} if authorization is not supported, | ||
| * e.g. the client's {@link ClientRegistration#getAuthorizationGrantType() authorization grant type} | ||
| * is not {@link AuthorizationGrantType#AUTHORIZATION_CODE authorization_code} OR the client is already authorized. | ||
| * | ||
| * <p> | ||
| * The following {@link OAuth2AuthorizationContext#getAttributes() context attributes} are supported: | ||
| * <ol> | ||
| * <li>{@code "javax.servlet.http.HttpServletRequest"} (required) - the {@code HttpServletRequest}</li> | ||
| * <li>{@code "javax.servlet.http.HttpServletResponse"} (required) - the {@code HttpServletResponse}</li> | ||
| * </ol> | ||
| * | ||
| * @param context the context that holds authorization-specific state for the client | ||
| * @return the {@link OAuth2AuthorizedClient} or {@code null} if authorization is not supported | ||
| */ | ||
| @Override | ||
| @Nullable | ||
| public OAuth2AuthorizedClient authorize(OAuth2AuthorizationContext context) { | ||
| Assert.notNull(context, "context cannot be null"); | ||
|
|
||
| HttpServletRequest request = context.getAttribute(HTTP_SERVLET_REQUEST_ATTRIBUTE_NAME); | ||
| HttpServletResponse response = context.getAttribute(HTTP_SERVLET_RESPONSE_ATTRIBUTE_NAME); | ||
| Assert.notNull(request, "The context attribute cannot be null '" + HTTP_SERVLET_REQUEST_ATTRIBUTE_NAME + "'"); | ||
| Assert.notNull(response, "The context attribute cannot be null '" + HTTP_SERVLET_RESPONSE_ATTRIBUTE_NAME + "'"); | ||
|
|
||
| String clientRegistrationId = context.getClientRegistrationId(); | ||
| ClientRegistration clientRegistration = this.clientRegistrationRepository.findByRegistrationId(clientRegistrationId); | ||
| Assert.notNull(clientRegistration, "Could not find ClientRegistration with id '" + clientRegistrationId + "'"); | ||
|
|
||
| if (!AuthorizationGrantType.AUTHORIZATION_CODE.equals(clientRegistration.getAuthorizationGrantType())) { | ||
| return null; | ||
| } | ||
|
|
||
| OAuth2AuthorizedClient authorizedClient = this.authorizedClientRepository.loadAuthorizedClient( | ||
| clientRegistrationId, context.getPrincipal(), request); | ||
| if (authorizedClient == null) { | ||
| // ClientAuthorizationRequiredException is caught by OAuth2AuthorizationRequestRedirectFilter which initiates authorization | ||
| throw new ClientAuthorizationRequiredException(clientRegistrationId); | ||
| } | ||
|
|
||
| return null; | ||
| } | ||
| } |
155 changes: 155 additions & 0 deletions
155
...ringframework/security/oauth2/client/ClientCredentialsOAuth2AuthorizedClientProvider.java
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,155 @@ | ||
| /* | ||
| * Copyright 2002-2019 the original author or authors. | ||
| * | ||
| * Licensed under the Apache License, Version 2.0 (the "License"); | ||
| * you may not use this file except in compliance with the License. | ||
| * You may obtain a copy of the License at | ||
| * | ||
| * https://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, software | ||
| * distributed under the License is distributed on an "AS IS" BASIS, | ||
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| * See the License for the specific language governing permissions and | ||
| * limitations under the License. | ||
| */ | ||
| package org.springframework.security.oauth2.client; | ||
|
|
||
| import org.springframework.lang.Nullable; | ||
| import org.springframework.security.oauth2.client.endpoint.DefaultClientCredentialsTokenResponseClient; | ||
| import org.springframework.security.oauth2.client.endpoint.OAuth2AccessTokenResponseClient; | ||
| import org.springframework.security.oauth2.client.endpoint.OAuth2ClientCredentialsGrantRequest; | ||
| import org.springframework.security.oauth2.client.registration.ClientRegistration; | ||
| import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository; | ||
| import org.springframework.security.oauth2.client.web.OAuth2AuthorizedClientRepository; | ||
| import org.springframework.security.oauth2.core.AbstractOAuth2Token; | ||
| import org.springframework.security.oauth2.core.AuthorizationGrantType; | ||
| import org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse; | ||
| import org.springframework.util.Assert; | ||
|
|
||
| import javax.servlet.http.HttpServletRequest; | ||
| import javax.servlet.http.HttpServletResponse; | ||
| import java.time.Duration; | ||
| import java.time.Instant; | ||
|
|
||
| /** | ||
| * An implementation of an {@link OAuth2AuthorizedClientProvider} | ||
| * for the {@link AuthorizationGrantType#CLIENT_CREDENTIALS client_credentials} grant. | ||
| * | ||
| * @author Joe Grandja | ||
| * @since 5.2 | ||
| * @see OAuth2AuthorizedClientProvider | ||
| * @see DefaultClientCredentialsTokenResponseClient | ||
| */ | ||
| public final class ClientCredentialsOAuth2AuthorizedClientProvider implements OAuth2AuthorizedClientProvider { | ||
| private static final String HTTP_SERVLET_REQUEST_ATTRIBUTE_NAME = HttpServletRequest.class.getName(); | ||
| private static final String HTTP_SERVLET_RESPONSE_ATTRIBUTE_NAME = HttpServletResponse.class.getName(); | ||
| private final ClientRegistrationRepository clientRegistrationRepository; | ||
| private final OAuth2AuthorizedClientRepository authorizedClientRepository; | ||
| private OAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest> accessTokenResponseClient = | ||
| new DefaultClientCredentialsTokenResponseClient(); | ||
| private Duration clockSkew = Duration.ofSeconds(60); | ||
|
|
||
| /** | ||
| * Constructs a {@code ClientCredentialsOAuth2AuthorizedClientProvider} using the provided parameters. | ||
| * | ||
| * @param clientRegistrationRepository the repository of client registrations | ||
| * @param authorizedClientRepository the repository of authorized clients | ||
| */ | ||
| public ClientCredentialsOAuth2AuthorizedClientProvider(ClientRegistrationRepository clientRegistrationRepository, | ||
| OAuth2AuthorizedClientRepository authorizedClientRepository) { | ||
| Assert.notNull(clientRegistrationRepository, "clientRegistrationRepository cannot be null"); | ||
| Assert.notNull(authorizedClientRepository, "authorizedClientRepository cannot be null"); | ||
| this.clientRegistrationRepository = clientRegistrationRepository; | ||
| this.authorizedClientRepository = authorizedClientRepository; | ||
| } | ||
|
|
||
| /** | ||
| * Attempt to authorize (or re-authorize) the {@link OAuth2AuthorizationContext#getClientRegistrationId() client} in the provided {@code context}. | ||
| * Returns {@code null} if authorization (or re-authorization) is not supported, | ||
| * e.g. the client's {@link ClientRegistration#getAuthorizationGrantType() authorization grant type} | ||
| * is not {@link AuthorizationGrantType#CLIENT_CREDENTIALS client_credentials} OR | ||
| * the {@link OAuth2AuthorizedClient#getAccessToken() access token} is not expired. | ||
| * | ||
| * <p> | ||
| * The following {@link OAuth2AuthorizationContext#getAttributes() context attributes} are supported: | ||
| * <ol> | ||
| * <li>{@code "javax.servlet.http.HttpServletRequest"} (required) - the {@code HttpServletRequest}</li> | ||
| * <li>{@code "javax.servlet.http.HttpServletResponse"} (required) - the {@code HttpServletResponse}</li> | ||
| * </ol> | ||
| * | ||
| * @param context the context that holds authorization-specific state for the client | ||
| * @return the {@link OAuth2AuthorizedClient} or {@code null} if authorization (or re-authorization) is not supported | ||
| */ | ||
| @Override | ||
| @Nullable | ||
| public OAuth2AuthorizedClient authorize(OAuth2AuthorizationContext context) { | ||
| Assert.notNull(context, "context cannot be null"); | ||
|
|
||
| HttpServletRequest request = context.getAttribute(HTTP_SERVLET_REQUEST_ATTRIBUTE_NAME); | ||
| HttpServletResponse response = context.getAttribute(HTTP_SERVLET_RESPONSE_ATTRIBUTE_NAME); | ||
| Assert.notNull(request, "The context attribute cannot be null '" + HTTP_SERVLET_REQUEST_ATTRIBUTE_NAME + "'"); | ||
| Assert.notNull(response, "The context attribute cannot be null '" + HTTP_SERVLET_RESPONSE_ATTRIBUTE_NAME + "'"); | ||
|
|
||
| String clientRegistrationId = context.getClientRegistrationId(); | ||
| ClientRegistration clientRegistration = this.clientRegistrationRepository.findByRegistrationId(clientRegistrationId); | ||
| Assert.notNull(clientRegistration, "Could not find ClientRegistration with id '" + clientRegistrationId + "'"); | ||
|
|
||
| if (!AuthorizationGrantType.CLIENT_CREDENTIALS.equals(clientRegistration.getAuthorizationGrantType())) { | ||
| return null; | ||
| } | ||
|
|
||
| OAuth2AuthorizedClient authorizedClient = this.authorizedClientRepository.loadAuthorizedClient( | ||
| clientRegistrationId, context.getPrincipal(), request); | ||
| if (authorizedClient != null && !hasTokenExpired(authorizedClient.getAccessToken())) { | ||
| return null; | ||
| } | ||
|
|
||
| // As per spec, in section 4.4.3 Access Token Response | ||
| // https://tools.ietf.org/html/rfc6749#section-4.4.3 | ||
| // A refresh token SHOULD NOT be included. | ||
| // | ||
| // Therefore, renewing an expired access token (re-authorization) | ||
| // is the same as acquiring a new access token (authorization). | ||
|
|
||
| OAuth2ClientCredentialsGrantRequest clientCredentialsGrantRequest = | ||
| new OAuth2ClientCredentialsGrantRequest(clientRegistration); | ||
| OAuth2AccessTokenResponse tokenResponse = | ||
| this.accessTokenResponseClient.getTokenResponse(clientCredentialsGrantRequest); | ||
|
|
||
| authorizedClient = new OAuth2AuthorizedClient( | ||
| clientRegistration, context.getPrincipal().getName(), tokenResponse.getAccessToken()); | ||
|
|
||
| this.authorizedClientRepository.saveAuthorizedClient( | ||
| authorizedClient, context.getPrincipal(), request, response); | ||
|
|
||
| return authorizedClient; | ||
| } | ||
|
|
||
| private boolean hasTokenExpired(AbstractOAuth2Token token) { | ||
| return token.getExpiresAt().isBefore(Instant.now().minus(this.clockSkew)); | ||
| } | ||
|
|
||
| /** | ||
| * Sets the client used when requesting an access token credential at the Token Endpoint for the {@code client_credentials} grant. | ||
| * | ||
| * @param accessTokenResponseClient the client used when requesting an access token credential at the Token Endpoint for the {@code client_credentials} grant | ||
| */ | ||
| public void setAccessTokenResponseClient(OAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest> accessTokenResponseClient) { | ||
| Assert.notNull(accessTokenResponseClient, "accessTokenResponseClient cannot be null"); | ||
| this.accessTokenResponseClient = accessTokenResponseClient; | ||
| } | ||
|
|
||
| /** | ||
| * Sets the maximum acceptable clock skew, which is used when checking the | ||
| * {@link OAuth2AuthorizedClient#getAccessToken() access token} expiry. The default is 60 seconds. | ||
| * An access token is considered expired if it's before {@code Instant.now() - clockSkew}. | ||
| * | ||
| * @param clockSkew the maximum acceptable clock skew | ||
| */ | ||
| public void setClockSkew(Duration clockSkew) { | ||
| Assert.notNull(clockSkew, "clockSkew cannot be null"); | ||
| Assert.isTrue(clockSkew.getSeconds() >= 0, "clockSkew must be >= 0"); | ||
| this.clockSkew = clockSkew; | ||
| } | ||
| } | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.