Polish gh-1068

Issue gh-1077

Author: jgrandja

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeAuthenticationProvider.java

@@ -282,7 +282,7 @@ public boolean supports(Class<?> authentication) {
 	 * Sets the {@link SessionRegistry} used to track OpenID Connect sessions.
 	 *
 	 * @param sessionRegistry the {@link SessionRegistry} used to track OpenID Connect sessions
-	 * @since 1.1.0
+	 * @since 1.1
 	 */
 	public void setSessionRegistry(SessionRegistry sessionRegistry) {
 		Assert.notNull(sessionRegistry, "sessionRegistry cannot be null");

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/client/RegisteredClient.java

@@ -152,7 +152,7 @@ public Set<String> getRedirectUris() {
 	 * that the End-User's User Agent be redirected to after a logout has been performed.
 	 *
 	 * @return the {@code Set} of post logout redirect URI(s)
-	 * @since 1.1.0
+	 * @since 1.1
 	 */
 	public Set<String> getPostLogoutRedirectUris() {
 		return this.postLogoutRedirectUris;
@@ -447,7 +447,7 @@ public Builder redirectUris(Consumer<Set<String>> redirectUrisConsumer) {
 		 *
 		 * @param postLogoutRedirectUri the post logout redirect URI
 		 * @return the {@link Builder}
-		 * @since 1.1.0
+		 * @since 1.1
 		 */
 		public Builder postLogoutRedirectUri(String postLogoutRedirectUri) {
 			this.postLogoutRedirectUris.add(postLogoutRedirectUri);
@@ -460,7 +460,7 @@ public Builder postLogoutRedirectUri(String postLogoutRedirectUri) {
 		 *
 		 * @param postLogoutRedirectUrisConsumer a {@link Consumer} of the post logout redirect URI(s)
 		 * @return the {@link Builder}
-		 * @since 1.1.0
+		 * @since 1.1
 		 */
 		public Builder postLogoutRedirectUris(Consumer<Set<String>> postLogoutRedirectUrisConsumer) {
 			postLogoutRedirectUrisConsumer.accept(this.postLogoutRedirectUris);

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2AuthorizationServerConfigurer.java

@@ -23,14 +23,19 @@
 
 import com.nimbusds.jose.jwk.source.JWKSource;
 
+import org.springframework.context.ApplicationListener;
+import org.springframework.context.event.GenericApplicationListenerAdapter;
+import org.springframework.context.event.SmartApplicationListener;
 import org.springframework.http.HttpMethod;
 import org.springframework.http.HttpStatus;
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.config.annotation.web.configurers.ExceptionHandlingConfigurer;
+import org.springframework.security.context.DelegatingApplicationListener;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.session.SessionRegistry;
+import org.springframework.security.core.session.SessionRegistryImpl;
 import org.springframework.security.oauth2.core.OAuth2Error;
 import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
 import org.springframework.security.oauth2.core.OAuth2Token;
@@ -270,7 +275,8 @@ public void init(HttpSecurity httpSecurity) {
 
 		if (isOidcEnabled()) {
 			// Add OpenID Connect session tracking capabilities.
-			SessionRegistry sessionRegistry = OAuth2ConfigurerUtils.getSessionRegistry(httpSecurity);
+			initSessionRegistry(httpSecurity);
+			SessionRegistry sessionRegistry = httpSecurity.getSharedObject(SessionRegistry.class);
 			OAuth2AuthorizationEndpointConfigurer authorizationEndpointConfigurer =
 					getConfigurer(OAuth2AuthorizationEndpointConfigurer.class);
 			authorizationEndpointConfigurer.setSessionAuthenticationStrategy((authentication, request, response) -> {
@@ -388,4 +394,23 @@ private static void validateAuthorizationServerSettings(AuthorizationServerSetti
 		}
 	}
 
+	private static void initSessionRegistry(HttpSecurity httpSecurity) {
+		SessionRegistry sessionRegistry = OAuth2ConfigurerUtils.getOptionalBean(httpSecurity, SessionRegistry.class);
+		if (sessionRegistry == null) {
+			sessionRegistry = new SessionRegistryImpl();
+			registerDelegateApplicationListener(httpSecurity, (SessionRegistryImpl) sessionRegistry);
+		}
+		httpSecurity.setSharedObject(SessionRegistry.class, sessionRegistry);
+	}
+
+	private static void registerDelegateApplicationListener(HttpSecurity httpSecurity, ApplicationListener<?> delegate) {
+		DelegatingApplicationListener delegatingApplicationListener =
+				OAuth2ConfigurerUtils.getOptionalBean(httpSecurity, DelegatingApplicationListener.class);
+		if (delegatingApplicationListener == null) {
+			return;
+		}
+		SmartApplicationListener smartListener = new GenericApplicationListenerAdapter(delegate);
+		delegatingApplicationListener.addListener(smartListener);
+	}
+
 }

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2ConfigurerUtils.java

@@ -24,14 +24,8 @@
 import org.springframework.beans.factory.NoSuchBeanDefinitionException;
 import org.springframework.beans.factory.NoUniqueBeanDefinitionException;
 import org.springframework.context.ApplicationContext;
-import org.springframework.context.ApplicationListener;
-import org.springframework.context.event.GenericApplicationListenerAdapter;
-import org.springframework.context.event.SmartApplicationListener;
 import org.springframework.core.ResolvableType;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.context.DelegatingApplicationListener;
-import org.springframework.security.core.session.SessionRegistry;
-import org.springframework.security.core.session.SessionRegistryImpl;
 import org.springframework.security.oauth2.core.OAuth2Token;
 import org.springframework.security.oauth2.jwt.JwtEncoder;
 import org.springframework.security.oauth2.jwt.NimbusJwtEncoder;
@@ -186,28 +180,6 @@ static AuthorizationServerSettings getAuthorizationServerSettings(HttpSecurity h
 		return authorizationServerSettings;
 	}
 
-	static SessionRegistry getSessionRegistry(HttpSecurity httpSecurity) {
-		SessionRegistry sessionRegistry = httpSecurity.getSharedObject(SessionRegistry.class);
-		if (sessionRegistry == null) {
-			sessionRegistry = getOptionalBean(httpSecurity, SessionRegistry.class);
-			if (sessionRegistry == null) {
-				sessionRegistry = new SessionRegistryImpl();
-				registerDelegateApplicationListener(httpSecurity, (SessionRegistryImpl) sessionRegistry);
-			}
-			httpSecurity.setSharedObject(SessionRegistry.class, sessionRegistry);
-		}
-		return sessionRegistry;
-	}
-
-	private static void registerDelegateApplicationListener(HttpSecurity httpSecurity, ApplicationListener<?> delegate) {
-		DelegatingApplicationListener delegatingApplicationListener = getOptionalBean(httpSecurity, DelegatingApplicationListener.class);
-		if (delegatingApplicationListener == null) {
-			return;
-		}
-		SmartApplicationListener smartListener = new GenericApplicationListenerAdapter(delegate);
-		delegatingApplicationListener.addListener(smartListener);
-	}
-
 	static <T> T getBean(HttpSecurity httpSecurity, Class<T> type) {
 		return httpSecurity.getSharedObject(ApplicationContext.class).getBean(type);
 	}

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2TokenEndpointConfigurer.java

@@ -220,11 +220,13 @@ private static List<AuthenticationProvider> createDefaultAuthenticationProviders
 
 		OAuth2AuthorizationService authorizationService = OAuth2ConfigurerUtils.getAuthorizationService(httpSecurity);
 		OAuth2TokenGenerator<? extends OAuth2Token> tokenGenerator = OAuth2ConfigurerUtils.getTokenGenerator(httpSecurity);
-		SessionRegistry sessionRegistry = OAuth2ConfigurerUtils.getSessionRegistry(httpSecurity);
 
 		OAuth2AuthorizationCodeAuthenticationProvider authorizationCodeAuthenticationProvider =
 				new OAuth2AuthorizationCodeAuthenticationProvider(authorizationService, tokenGenerator);
-		authorizationCodeAuthenticationProvider.setSessionRegistry(sessionRegistry);
+		SessionRegistry sessionRegistry = httpSecurity.getSharedObject(SessionRegistry.class);
+		if (sessionRegistry != null) {
+			authorizationCodeAuthenticationProvider.setSessionRegistry(sessionRegistry);
+		}
 		authenticationProviders.add(authorizationCodeAuthenticationProvider);
 
 		OAuth2RefreshTokenAuthenticationProvider refreshTokenAuthenticationProvider =

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OidcConfigurer.java

@@ -72,7 +72,7 @@ public OidcConfigurer providerConfigurationEndpoint(Customizer<OidcProviderConfi
 	 *
 	 * @param logoutEndpointCustomizer the {@link Customizer} providing access to the {@link OidcLogoutEndpointConfigurer}
 	 * @return the {@link OidcConfigurer} for further configuration
-	 * @since 1.1.0
+	 * @since 1.1
 	 */
 	public OidcConfigurer logoutEndpoint(Customizer<OidcLogoutEndpointConfigurer> logoutEndpointCustomizer) {
 		logoutEndpointCustomizer.customize(getConfigurer(OidcLogoutEndpointConfigurer.class));

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OidcLogoutEndpointConfigurer.java

@@ -26,6 +26,7 @@
 import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.config.annotation.ObjectPostProcessor;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.core.session.SessionRegistry;
 import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
 import org.springframework.security.oauth2.core.OAuth2Error;
 import org.springframework.security.oauth2.server.authorization.oidc.authentication.OidcLogoutAuthenticationProvider;
@@ -47,7 +48,7 @@
  * Configurer for OpenID Connect 1.0 RP-Initiated Logout Endpoint.
  *
  * @author Joe Grandja
- * @since 1.1.0
+ * @since 1.1
  * @see OidcConfigurer#logoutEndpoint
  * @see OidcLogoutEndpointFilter
  */
@@ -210,7 +211,7 @@ private static List<AuthenticationProvider> createDefaultAuthenticationProviders
 				new OidcLogoutAuthenticationProvider(
 						OAuth2ConfigurerUtils.getRegisteredClientRepository(httpSecurity),
 						OAuth2ConfigurerUtils.getAuthorizationService(httpSecurity),
-						OAuth2ConfigurerUtils.getSessionRegistry(httpSecurity));
+						httpSecurity.getSharedObject(SessionRegistry.class));
 		authenticationProviders.add(oidcLogoutAuthenticationProvider);
 
 		return authenticationProviders;

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/oidc/OidcClientMetadataClaimAccessor.java

@@ -101,7 +101,7 @@ default List<String> getRedirectUris() {
 	 * that the End-User's User Agent be redirected to after a logout has been performed.
 	 *
 	 * @return the post logout redirection {@code URI} values used by the Client
-	 * @since 1.1.0
+	 * @since 1.1
 	 */
 	default List<String> getPostLogoutRedirectUris() {
 		return getClaimAsStringList(OidcClientMetadataClaimNames.POST_LOGOUT_REDIRECT_URIS);

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/oidc/OidcClientMetadataClaimNames.java

@@ -66,7 +66,7 @@ public final class OidcClientMetadataClaimNames {
 	 * {@code post_logout_redirect_uris} - the post logout redirection {@code URI} values used by the Client.
 	 * The {@code post_logout_redirect_uri} parameter is used by the client when requesting
 	 * that the End-User's User Agent be redirected to after a logout has been performed.
-	 * @since 1.1.0
+	 * @since 1.1
 	 */
 	public static final String POST_LOGOUT_REDIRECT_URIS = "post_logout_redirect_uris";
 

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/oidc/OidcClientRegistration.java

@@ -176,7 +176,7 @@ public Builder redirectUris(Consumer<List<String>> redirectUrisConsumer) {
 		 *
 		 * @param postLogoutRedirectUri the post logout redirection {@code URI} used by the Client
 		 * @return the {@link Builder} for further configuration
-		 * @since 1.1.0
+		 * @since 1.1
 		 */
 		public Builder postLogoutRedirectUri(String postLogoutRedirectUri) {
 			addClaimToClaimList(OidcClientMetadataClaimNames.POST_LOGOUT_REDIRECT_URIS, postLogoutRedirectUri);
@@ -189,7 +189,7 @@ public Builder postLogoutRedirectUri(String postLogoutRedirectUri) {
 		 *
 		 * @param postLogoutRedirectUrisConsumer a {@code Consumer} of the post logout redirection {@code URI} values used by the Client
 		 * @return the {@link Builder} for further configuration
-		 * @since 1.1.0
+		 * @since 1.1
 		 */
 		public Builder postLogoutRedirectUris(Consumer<List<String>> postLogoutRedirectUrisConsumer) {
 			acceptClaimValues(OidcClientMetadataClaimNames.POST_LOGOUT_REDIRECT_URIS, postLogoutRedirectUrisConsumer);

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/oidc/OidcProviderConfiguration.java

@@ -136,7 +136,7 @@ public Builder userInfoEndpoint(String userInfoEndpoint) {
 		 *
 		 * @param endSessionEndpoint the {@code URL} of the OpenID Connect 1.0 End Session Endpoint
 		 * @return the {@link Builder} for further configuration
-		 * @since 1.1.0
+		 * @since 1.1
 		 */
 		public Builder endSessionEndpoint(String endSessionEndpoint) {
 			return claim(OidcProviderMetadataClaimNames.END_SESSION_ENDPOINT, endSessionEndpoint);

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/oidc/OidcProviderMetadataClaimAccessor.java

@@ -72,7 +72,7 @@ default URL getUserInfoEndpoint() {
 	 * Returns the {@code URL} of the OpenID Connect 1.0 End Session Endpoint {@code (end_session_endpoint)}.
 	 *
 	 * @return the {@code URL} of the OpenID Connect 1.0 End Session Endpoint
-	 * @since 1.1.0
+	 * @since 1.1
 	 */
 	default URL getEndSessionEndpoint() {
 		return getClaimAsURL(OidcProviderMetadataClaimNames.END_SESSION_ENDPOINT);

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/oidc/OidcProviderMetadataClaimNames.java

@@ -49,7 +49,7 @@ public final class OidcProviderMetadataClaimNames extends OAuth2AuthorizationSer
 
 	/**
 	 * {@code end_session_endpoint} - the {@code URL} of the OpenID Connect 1.0 End Session Endpoint
-	 * @since 1.1.0
+	 * @since 1.1
 	 */
 	public static final String END_SESSION_ENDPOINT = "end_session_endpoint";
 

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/oidc/authentication/OidcLogoutAuthenticationProvider.java

@@ -46,7 +46,7 @@
  * An {@link AuthenticationProvider} implementation for OpenID Connect 1.0 RP-Initiated Logout Endpoint.
  *
  * @author Joe Grandja
- * @since 1.1.0
+ * @since 1.1
  * @see RegisteredClientRepository
  * @see OAuth2AuthorizationService
  * @see SessionRegistry
@@ -83,7 +83,7 @@ public Authentication authenticate(Authentication authentication) throws Authent
 				(OidcLogoutAuthenticationToken) authentication;
 
 		OAuth2Authorization authorization = this.authorizationService.findByToken(
-				oidcLogoutAuthentication.getIdToken(), ID_TOKEN_TOKEN_TYPE);
+				oidcLogoutAuthentication.getIdTokenHint(), ID_TOKEN_TOKEN_TYPE);
 		if (authorization == null) {
 			throwError(OAuth2ErrorCodes.INVALID_TOKEN, "id_token_hint");
 		}
@@ -120,18 +120,24 @@ public Authentication authenticate(Authentication authentication) throws Authent
 			this.logger.trace("Validated logout request parameters");
 		}
 
-		// Validate user session
-		SessionInformation sessionInformation = null;
+		// Validate user identity
 		Authentication userPrincipal = (Authentication) oidcLogoutAuthentication.getPrincipal();
-		if (isPrincipalAuthenticated(userPrincipal) &&
-				StringUtils.hasText(oidcLogoutAuthentication.getSessionId())) {
-			sessionInformation = findSessionInformation(
-					userPrincipal, oidcLogoutAuthentication.getSessionId());
-			if (sessionInformation != null) {
-				String sidClaim = idToken.getClaim("sid");
-				if (!StringUtils.hasText(sidClaim) ||
-						!sidClaim.equals(sessionInformation.getSessionId())) {
-					throwError(OAuth2ErrorCodes.INVALID_TOKEN, "sid");
+		if (isPrincipalAuthenticated(userPrincipal)) {
+			if (!StringUtils.hasText(idToken.getSubject()) ||
+					!idToken.getSubject().equals(userPrincipal.getName())) {
+				throwError(OAuth2ErrorCodes.INVALID_TOKEN, IdTokenClaimNames.SUB);
+			}
+
+			// Check for active session
+			if (StringUtils.hasText(oidcLogoutAuthentication.getSessionId())) {
+				SessionInformation sessionInformation = findSessionInformation(
+						userPrincipal, oidcLogoutAuthentication.getSessionId());
+				if (sessionInformation != null) {
+					String sidClaim = idToken.getClaim("sid");
+					if (!StringUtils.hasText(sidClaim) ||
+							!sidClaim.equals(sessionInformation.getSessionId())) {
+						throwError(OAuth2ErrorCodes.INVALID_TOKEN, "sid");
+					}
 				}
 			}
 		}
@@ -140,8 +146,8 @@ public Authentication authenticate(Authentication authentication) throws Authent
 			this.logger.trace("Authenticated logout request");
 		}
 
-		return new OidcLogoutAuthenticationToken(oidcLogoutAuthentication.getIdToken(), userPrincipal,
-				sessionInformation, oidcLogoutAuthentication.getClientId(),
+		return new OidcLogoutAuthenticationToken(idToken, userPrincipal,
+				oidcLogoutAuthentication.getSessionId(), oidcLogoutAuthentication.getClientId(),
 				oidcLogoutAuthentication.getPostLogoutRedirectUri(), oidcLogoutAuthentication.getState());
 	}