From 1df3e76d8d9dd04f98dcf5cb9464e9f52d5df12f Mon Sep 17 00:00:00 2001 From: sylvain-costanzo Date: Mon, 13 Jan 2025 19:41:00 +0100 Subject: [PATCH 1/4] Remove the openid scope matcher in OAuth2AuthorizationEndpointFilter Closes gh-1811 Signed-off-by: sylvain-costanzo --- .../OAuth2AuthorizationEndpointFilter.java | 19 ++----------------- ...Auth2AuthorizationEndpointFilterTests.java | 8 ++------ 2 files changed, 4 insertions(+), 23 deletions(-) diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilter.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilter.java index 5e5cf2806..9da4ea4ae 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilter.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilter.java @@ -39,7 +39,6 @@ import org.springframework.security.oauth2.core.OAuth2Error; import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationResponse; import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames; -import org.springframework.security.oauth2.core.oidc.OidcScopes; import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeRequestAuthenticationException; import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeRequestAuthenticationProvider; import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeRequestAuthenticationToken; @@ -57,9 +56,7 @@ import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy; import org.springframework.security.web.util.RedirectUrlBuilder; import org.springframework.security.web.util.UrlUtils; -import org.springframework.security.web.util.matcher.AndRequestMatcher; import org.springframework.security.web.util.matcher.AntPathRequestMatcher; -import org.springframework.security.web.util.matcher.NegatedRequestMatcher; import org.springframework.security.web.util.matcher.OrRequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher; import org.springframework.util.Assert; @@ -151,20 +148,8 @@ private static RequestMatcher createDefaultRequestMatcher(String authorizationEn HttpMethod.GET.name()); RequestMatcher authorizationRequestPostMatcher = new AntPathRequestMatcher(authorizationEndpointUri, HttpMethod.POST.name()); - RequestMatcher openidScopeMatcher = (request) -> { - String scope = request.getParameter(OAuth2ParameterNames.SCOPE); - return StringUtils.hasText(scope) && scope.contains(OidcScopes.OPENID); - }; - RequestMatcher responseTypeParameterMatcher = ( - request) -> request.getParameter(OAuth2ParameterNames.RESPONSE_TYPE) != null; - - RequestMatcher authorizationRequestMatcher = new OrRequestMatcher(authorizationRequestGetMatcher, - new AndRequestMatcher(authorizationRequestPostMatcher, responseTypeParameterMatcher, - openidScopeMatcher)); - RequestMatcher authorizationConsentMatcher = new AndRequestMatcher(authorizationRequestPostMatcher, - new NegatedRequestMatcher(responseTypeParameterMatcher)); - - return new OrRequestMatcher(authorizationRequestMatcher, authorizationConsentMatcher); + + return new OrRequestMatcher(authorizationRequestGetMatcher, authorizationRequestPostMatcher); } @Override diff --git a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilterTests.java b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilterTests.java index 4a7494708..ada590fd4 100644 --- a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilterTests.java +++ b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilterTests.java @@ -611,11 +611,7 @@ public void doFilterWhenAuthorizationRequestAuthenticatedThenAuthorizationRespon @Test public void doFilterWhenAuthenticationRequestAuthenticatedThenAuthorizationResponse() throws Exception { - // Setup OpenID Connect request - RegisteredClient registeredClient = TestRegisteredClients.registeredClient().scopes((scopes) -> { - scopes.clear(); - scopes.add(OidcScopes.OPENID); - }).build(); + RegisteredClient registeredClient = TestRegisteredClients.registeredClient().scopes(Set::clear).build(); OAuth2AuthorizationCodeRequestAuthenticationToken authorizationCodeRequestAuthenticationResult = new OAuth2AuthorizationCodeRequestAuthenticationToken( AUTHORIZATION_URI, registeredClient.getClientId(), this.principal, this.authorizationCode, registeredClient.getRedirectUris().iterator().next(), STATE, registeredClient.getScopes()); @@ -623,7 +619,7 @@ public void doFilterWhenAuthenticationRequestAuthenticatedThenAuthorizationRespo given(this.authenticationManager.authenticate(any())).willReturn(authorizationCodeRequestAuthenticationResult); MockHttpServletRequest request = createAuthorizationRequest(registeredClient); - request.setMethod("POST"); // OpenID Connect supports POST method + request.setMethod("POST"); request.setQueryString(null); MockHttpServletResponse response = new MockHttpServletResponse(); FilterChain filterChain = mock(FilterChain.class); From 40c8b22e13af0f74400814ed09cfc17b5e7c8f04 Mon Sep 17 00:00:00 2001 From: sylvain-costanzo Date: Fri, 17 Jan 2025 18:50:23 +0100 Subject: [PATCH 2/4] Remove the openid scope matcher in OAuth2AuthorizationCodeRequestAuthenticationConverter Closes gh-1811 Signed-off-by: sylvain-costanzo --- ...horizationCodeRequestAuthenticationConverter.java | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2AuthorizationCodeRequestAuthenticationConverter.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2AuthorizationCodeRequestAuthenticationConverter.java index c574d6153..521ddd400 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2AuthorizationCodeRequestAuthenticationConverter.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2AuthorizationCodeRequestAuthenticationConverter.java @@ -64,11 +64,11 @@ public final class OAuth2AuthorizationCodeRequestAuthenticationConverter impleme private static final Authentication ANONYMOUS_AUTHENTICATION = new AnonymousAuthenticationToken("anonymous", "anonymousUser", AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS")); - private static final RequestMatcher OIDC_REQUEST_MATCHER = createOidcRequestMatcher(); + private static final RequestMatcher POST_WITH_RESPONSE_TYPE_REQUEST_MATCHER = createPostWithResponseTypeRequestMatcher(); @Override public Authentication convert(HttpServletRequest request) { - if (!"GET".equals(request.getMethod()) && !OIDC_REQUEST_MATCHER.matches(request)) { + if (!"GET".equals(request.getMethod()) && !POST_WITH_RESPONSE_TYPE_REQUEST_MATCHER.matches(request)) { return null; } @@ -153,15 +153,11 @@ else if (!responseType.equals(OAuth2AuthorizationResponseType.CODE.getValue())) state, scopes, additionalParameters); } - private static RequestMatcher createOidcRequestMatcher() { + private static RequestMatcher createPostWithResponseTypeRequestMatcher() { RequestMatcher postMethodMatcher = (request) -> "POST".equals(request.getMethod()); RequestMatcher responseTypeParameterMatcher = ( request) -> request.getParameter(OAuth2ParameterNames.RESPONSE_TYPE) != null; - RequestMatcher openidScopeMatcher = (request) -> { - String scope = request.getParameter(OAuth2ParameterNames.SCOPE); - return StringUtils.hasText(scope) && scope.contains(OidcScopes.OPENID); - }; - return new AndRequestMatcher(postMethodMatcher, responseTypeParameterMatcher, openidScopeMatcher); + return new AndRequestMatcher(postMethodMatcher, responseTypeParameterMatcher); } private static void throwError(String errorCode, String parameterName) { From a8d0772aecdcead9f5493fe08cfc07cad228fab4 Mon Sep 17 00:00:00 2001 From: sylvain-costanzo Date: Mon, 3 Feb 2025 18:45:10 +0100 Subject: [PATCH 3/4] Disctinct Authorize matcher and Consent matcher in OAuth2AuthorizationEndpointFilter Closes gh-1811 Signed-off-by: sylvain-costanzo --- .../web/OAuth2AuthorizationEndpointFilter.java | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilter.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilter.java index 9da4ea4ae..5aaab5e78 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilter.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilter.java @@ -56,9 +56,7 @@ import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy; import org.springframework.security.web.util.RedirectUrlBuilder; import org.springframework.security.web.util.UrlUtils; -import org.springframework.security.web.util.matcher.AntPathRequestMatcher; -import org.springframework.security.web.util.matcher.OrRequestMatcher; -import org.springframework.security.web.util.matcher.RequestMatcher; +import org.springframework.security.web.util.matcher.*; import org.springframework.util.Assert; import org.springframework.util.StringUtils; import org.springframework.web.filter.OncePerRequestFilter; @@ -149,7 +147,15 @@ private static RequestMatcher createDefaultRequestMatcher(String authorizationEn RequestMatcher authorizationRequestPostMatcher = new AntPathRequestMatcher(authorizationEndpointUri, HttpMethod.POST.name()); - return new OrRequestMatcher(authorizationRequestGetMatcher, authorizationRequestPostMatcher); + RequestMatcher responseTypeParameterMatcher = ( + request) -> request.getParameter(OAuth2ParameterNames.RESPONSE_TYPE) != null; + + RequestMatcher authorizationRequestMatcher = new OrRequestMatcher(authorizationRequestGetMatcher, + new AndRequestMatcher(authorizationRequestPostMatcher, responseTypeParameterMatcher)); + RequestMatcher authorizationConsentMatcher = new AndRequestMatcher(authorizationRequestPostMatcher, + new NegatedRequestMatcher(responseTypeParameterMatcher)); + + return new OrRequestMatcher(authorizationRequestMatcher, authorizationConsentMatcher); } @Override From bc6b4701f5863e4f0b1bbaf4f76161c538b30823 Mon Sep 17 00:00:00 2001 From: sylvain-costanzo Date: Mon, 3 Feb 2025 18:47:23 +0100 Subject: [PATCH 4/4] Disctinct Authorize matcher and Consent matcher in OAuth2AuthorizationEndpointFilter Closes gh-1811 Signed-off-by: sylvain-costanzo --- .../web/OAuth2AuthorizationEndpointFilter.java | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilter.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilter.java index 5aaab5e78..c4e261291 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilter.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilter.java @@ -56,7 +56,11 @@ import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy; import org.springframework.security.web.util.RedirectUrlBuilder; import org.springframework.security.web.util.UrlUtils; -import org.springframework.security.web.util.matcher.*; +import org.springframework.security.web.util.matcher.AndRequestMatcher; +import org.springframework.security.web.util.matcher.AntPathRequestMatcher; +import org.springframework.security.web.util.matcher.NegatedRequestMatcher; +import org.springframework.security.web.util.matcher.OrRequestMatcher; +import org.springframework.security.web.util.matcher.RequestMatcher; import org.springframework.util.Assert; import org.springframework.util.StringUtils; import org.springframework.web.filter.OncePerRequestFilter;