Add tests for Oidc Logout implementations

Author: jgrandja

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/oidc/authentication/OidcLogoutAuthenticationProvider.java

@@ -27,7 +27,10 @@
 import org.springframework.security.core.session.SessionInformation;
 import org.springframework.security.core.session.SessionRegistry;
 import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
+import org.springframework.security.oauth2.core.OAuth2Error;
 import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
+import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
+import org.springframework.security.oauth2.core.oidc.IdTokenClaimNames;
 import org.springframework.security.oauth2.core.oidc.OidcIdToken;
 import org.springframework.security.oauth2.core.oidc.endpoint.OidcParameterNames;
 import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
@@ -78,7 +81,7 @@ public Authentication authenticate(Authentication authentication) throws Authent
 		OAuth2Authorization authorization = this.authorizationService.findByToken(
 				oidcLogoutAuthentication.getIdToken(), ID_TOKEN_TOKEN_TYPE);
 		if (authorization == null) {
-			throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_TOKEN);
+			throwError(OAuth2ErrorCodes.INVALID_TOKEN, "id_token_hint");
 		}
 
 		RegisteredClient registeredClient = this.registeredClientRepository.findById(
@@ -94,15 +97,15 @@ public Authentication authenticate(Authentication authentication) throws Authent
 		List<String> audClaim = idToken.getAudience();
 		if (CollectionUtils.isEmpty(audClaim) ||
 				!audClaim.contains(registeredClient.getClientId())) {
-			throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_TOKEN);
+			throwError(OAuth2ErrorCodes.INVALID_TOKEN, IdTokenClaimNames.AUD);
 		}
 		if (StringUtils.hasText(oidcLogoutAuthentication.getClientId()) &&
 				!oidcLogoutAuthentication.getClientId().equals(registeredClient.getClientId())) {
-			throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_TOKEN);
+			throwError(OAuth2ErrorCodes.INVALID_TOKEN, OAuth2ParameterNames.CLIENT_ID);
 		}
 		if (StringUtils.hasText(oidcLogoutAuthentication.getPostLogoutRedirectUri()) &&
 				!registeredClient.getPostLogoutRedirectUris().contains(oidcLogoutAuthentication.getPostLogoutRedirectUri())) {
-			throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_REQUEST);
+			throwError(OAuth2ErrorCodes.INVALID_REQUEST, "post_logout_redirect_uri");
 		}
 
 		if (this.logger.isTraceEnabled()) {
@@ -120,7 +123,7 @@ public Authentication authenticate(Authentication authentication) throws Authent
 				String sidClaim = idToken.getClaim("sid");
 				if (!StringUtils.hasText(sidClaim) ||
 						!sidClaim.equals(sessionInformation.getSessionId())) {
-					throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_TOKEN);
+					throwError(OAuth2ErrorCodes.INVALID_TOKEN, "sid");
 				}
 			}
 		}
@@ -160,4 +163,12 @@ private static SessionInformation findSessionInformation(Authentication principa
 		return sessionInformation;
 	}
 
+	private static void throwError(String errorCode, String parameterName) {
+		OAuth2Error error = new OAuth2Error(
+				errorCode,
+				"OpenID Connect 1.0 Logout Request Parameter: " + parameterName,
+				"https://openid.net/specs/openid-connect-rpinitiated-1_0.html#ValidationAndErrorHandling");
+		throw new OAuth2AuthenticationException(error);
+	}
+
 }

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/oidc/web/OidcLogoutEndpointFilter.java

@@ -214,8 +214,7 @@ private void sendErrorResponse(HttpServletRequest request, HttpServletResponse r
 			AuthenticationException exception) throws IOException {
 
 		OAuth2Error error = ((OAuth2AuthenticationException) exception).getError();
-		response.sendError(HttpStatus.BAD_REQUEST.value(),
-				"OpenID Connect 1.0 RP-Initiated Logout Error: " + error.toString());
+		response.sendError(HttpStatus.BAD_REQUEST.value(), error.toString());
 	}
 
 }

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/oidc/web/authentication/OidcLogoutAuthenticationConverter.java

@@ -25,6 +25,7 @@
 import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
+import org.springframework.security.oauth2.core.OAuth2Error;
 import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
 import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
 import org.springframework.security.oauth2.server.authorization.oidc.authentication.OidcLogoutAuthenticationToken;
@@ -56,7 +57,7 @@ public Authentication convert(HttpServletRequest request) {
 		String idTokenHint = request.getParameter("id_token_hint");
 		if (!StringUtils.hasText(idTokenHint) ||
 				request.getParameterValues("id_token_hint").length != 1) {
-			throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_REQUEST);
+			throwError(OAuth2ErrorCodes.INVALID_REQUEST, "id_token_hint");
 		}
 
 		Authentication principal = SecurityContextHolder.getContext().getAuthentication();
@@ -74,21 +75,21 @@ public Authentication convert(HttpServletRequest request) {
 		String clientId = parameters.getFirst(OAuth2ParameterNames.CLIENT_ID);
 		if (StringUtils.hasText(clientId) &&
 				parameters.get(OAuth2ParameterNames.CLIENT_ID).size() != 1) {
-			throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_REQUEST);
+			throwError(OAuth2ErrorCodes.INVALID_REQUEST, OAuth2ParameterNames.CLIENT_ID);
 		}
 
 		// post_logout_redirect_uri (OPTIONAL)
 		String postLogoutRedirectUri = parameters.getFirst("post_logout_redirect_uri");
 		if (StringUtils.hasText(postLogoutRedirectUri) &&
 				parameters.get("post_logout_redirect_uri").size() != 1) {
-			throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_REQUEST);
+			throwError(OAuth2ErrorCodes.INVALID_REQUEST, "post_logout_redirect_uri");
 		}
 
 		// state (OPTIONAL)
 		String state = parameters.getFirst(OAuth2ParameterNames.STATE);
 		if (StringUtils.hasText(state) &&
 				parameters.get(OAuth2ParameterNames.STATE).size() != 1) {
-			throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_REQUEST);
+			throwError(OAuth2ErrorCodes.INVALID_REQUEST, OAuth2ParameterNames.STATE);
 		}
 
 		return new OidcLogoutAuthenticationToken(idTokenHint, principal,
@@ -108,4 +109,12 @@ private static MultiValueMap<String, String> getParameters(HttpServletRequest re
 		return parameters;
 	}
 
+	private static void throwError(String errorCode, String parameterName) {
+		OAuth2Error error = new OAuth2Error(
+				errorCode,
+				"OpenID Connect 1.0 Logout Request Parameter: " + parameterName,
+				"https://openid.net/specs/openid-connect-rpinitiated-1_0.html#ValidationAndErrorHandling");
+		throw new OAuth2AuthenticationException(error);
+	}
+
 }

oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OidcTests.java

@@ -47,6 +47,7 @@
 import org.springframework.jdbc.datasource.embedded.EmbeddedDatabaseType;
 import org.springframework.mock.http.client.MockClientHttpResponse;
 import org.springframework.mock.web.MockHttpServletResponse;
+import org.springframework.mock.web.MockHttpSession;
 import org.springframework.security.authentication.TestingAuthenticationToken;
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
@@ -123,6 +124,7 @@
 public class OidcTests {
 	private static final String DEFAULT_AUTHORIZATION_ENDPOINT_URI = "/oauth2/authorize";
 	private static final String DEFAULT_TOKEN_ENDPOINT_URI = "/oauth2/token";
+	private static final String DEFAULT_OIDC_LOGOUT_ENDPOINT_URI = "/connect/logout";
 	private static final String AUTHORITIES_CLAIM = "authorities";
 	private static final OAuth2TokenType AUTHORIZATION_CODE_TOKEN_TYPE = new OAuth2TokenType(OAuth2ParameterNames.CODE);
 	private static EmbeddedDatabase db;
@@ -216,15 +218,69 @@ public void requestWhenAuthenticationRequestThenTokenResponseIncludesIdToken() t
 				servletResponse.getContentAsByteArray(), HttpStatus.valueOf(servletResponse.getStatus()));
 		OAuth2AccessTokenResponse accessTokenResponse = accessTokenHttpResponseConverter.read(OAuth2AccessTokenResponse.class, httpResponse);
 
-		// Assert user authorities was propagated as claim in ID Token
 		Jwt idToken = this.jwtDecoder.decode((String) accessTokenResponse.getAdditionalParameters().get(OidcParameterNames.ID_TOKEN));
+
+		// Assert user authorities was propagated as claim in ID Token
 		List<String> authoritiesClaim = idToken.getClaim(AUTHORITIES_CLAIM);
 		Authentication principal = authorization.getAttribute(Principal.class.getName());
 		Set<String> userAuthorities = new HashSet<>();
 		for (GrantedAuthority authority : principal.getAuthorities()) {
 			userAuthorities.add(authority.getAuthority());
 		}
 		assertThat(authoritiesClaim).containsExactlyInAnyOrderElementsOf(userAuthorities);
+
+		// Assert sid claim was added in ID Token
+		assertThat(idToken.<String>getClaim("sid")).isNotNull();
+	}
+
+	@Test
+	public void requestWhenLogoutRequestThenLogout() throws Exception {
+		this.spring.register(AuthorizationServerConfiguration.class).autowire();
+
+		RegisteredClient registeredClient = TestRegisteredClients.registeredClient().scope(OidcScopes.OPENID).build();
+		this.registeredClientRepository.save(registeredClient);
+
+		// Login
+		MultiValueMap<String, String> authorizationRequestParameters = getAuthorizationRequestParameters(registeredClient);
+		MvcResult mvcResult = this.mvc.perform(get(DEFAULT_AUTHORIZATION_ENDPOINT_URI)
+						.params(authorizationRequestParameters)
+						.with(user("user")))
+				.andExpect(status().is3xxRedirection())
+				.andReturn();
+
+		MockHttpSession session = (MockHttpSession) mvcResult.getRequest().getSession();
+		assertThat(session.isNew()).isTrue();
+
+		String redirectedUrl = mvcResult.getResponse().getRedirectedUrl();
+		String authorizationCode = extractParameterFromRedirectUri(redirectedUrl, "code");
+		OAuth2Authorization authorization = this.authorizationService.findByToken(authorizationCode, AUTHORIZATION_CODE_TOKEN_TYPE);
+
+		// Get ID Token
+		mvcResult = this.mvc.perform(post(DEFAULT_TOKEN_ENDPOINT_URI)
+						.params(getTokenRequestParameters(registeredClient, authorization))
+						.header(HttpHeaders.AUTHORIZATION, "Basic " + encodeBasicAuth(
+								registeredClient.getClientId(), registeredClient.getClientSecret()))
+						.session(session))
+				.andExpect(status().isOk())
+				.andReturn();
+
+		MockHttpServletResponse servletResponse = mvcResult.getResponse();
+		MockClientHttpResponse httpResponse = new MockClientHttpResponse(
+				servletResponse.getContentAsByteArray(), HttpStatus.valueOf(servletResponse.getStatus()));
+		OAuth2AccessTokenResponse accessTokenResponse = accessTokenHttpResponseConverter.read(OAuth2AccessTokenResponse.class, httpResponse);
+
+		String idToken = (String) accessTokenResponse.getAdditionalParameters().get(OidcParameterNames.ID_TOKEN);
+
+		// Logout
+		mvcResult = this.mvc.perform(post(DEFAULT_OIDC_LOGOUT_ENDPOINT_URI)
+						.param("id_token_hint", idToken)
+						.session(session))
+				.andExpect(status().is3xxRedirection())
+				.andReturn();
+		redirectedUrl = mvcResult.getResponse().getRedirectedUrl();
+
+		assertThat(redirectedUrl).matches("/");
+		assertThat(session.isInvalid()).isTrue();
 	}
 
 	@Test