Add refresh_token OAuth2AccessTokenResponseClient

Author: jgrandja

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/DefaultRefreshTokenTokenResponseClient.java

@@ -0,0 +1,133 @@
+/*
+ * Copyright 2002-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.oauth2.client.endpoint;
+
+import org.springframework.core.convert.converter.Converter;
+import org.springframework.http.RequestEntity;
+import org.springframework.http.ResponseEntity;
+import org.springframework.http.converter.FormHttpMessageConverter;
+import org.springframework.http.converter.HttpMessageConverter;
+import org.springframework.security.oauth2.client.http.OAuth2ErrorResponseErrorHandler;
+import org.springframework.security.oauth2.core.AuthorizationGrantType;
+import org.springframework.security.oauth2.core.OAuth2AuthorizationException;
+import org.springframework.security.oauth2.core.OAuth2Error;
+import org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse;
+import org.springframework.security.oauth2.core.http.converter.OAuth2AccessTokenResponseHttpMessageConverter;
+import org.springframework.util.Assert;
+import org.springframework.util.CollectionUtils;
+import org.springframework.web.client.ResponseErrorHandler;
+import org.springframework.web.client.RestClientException;
+import org.springframework.web.client.RestOperations;
+import org.springframework.web.client.RestTemplate;
+
+import java.util.Arrays;
+
+/**
+ * The default implementation of an {@link OAuth2AccessTokenResponseClient}
+ * for the {@link AuthorizationGrantType#REFRESH_TOKEN refresh_token} grant.
+ * This implementation uses a {@link RestOperations} when requesting
+ * an access token credential at the Authorization Server's Token Endpoint.
+ *
+ * @author Joe Grandja
+ * @since 5.2
+ * @see OAuth2AccessTokenResponseClient
+ * @see OAuth2RefreshTokenGrantRequest
+ * @see OAuth2AccessTokenResponse
+ * @see <a target="_blank" href="https://tools.ietf.org/html/rfc6749#section-6">Section 6 Refreshing an Access Token</a>
+ */
+public final class DefaultRefreshTokenTokenResponseClient implements OAuth2AccessTokenResponseClient<OAuth2RefreshTokenGrantRequest> {
+	private static final String INVALID_TOKEN_RESPONSE_ERROR_CODE = "invalid_token_response";
+
+	private Converter<OAuth2RefreshTokenGrantRequest, RequestEntity<?>> requestEntityConverter =
+			new OAuth2RefreshTokenGrantRequestEntityConverter();
+
+	private RestOperations restOperations;
+
+	public DefaultRefreshTokenTokenResponseClient() {
+		RestTemplate restTemplate = new RestTemplate(Arrays.asList(
+				new FormHttpMessageConverter(), new OAuth2AccessTokenResponseHttpMessageConverter()));
+		restTemplate.setErrorHandler(new OAuth2ErrorResponseErrorHandler());
+		this.restOperations = restTemplate;
+	}
+
+	@Override
+	public OAuth2AccessTokenResponse getTokenResponse(OAuth2RefreshTokenGrantRequest refreshTokenGrantRequest) {
+		Assert.notNull(refreshTokenGrantRequest, "refreshTokenGrantRequest cannot be null");
+
+		RequestEntity<?> request = this.requestEntityConverter.convert(refreshTokenGrantRequest);
+
+		ResponseEntity<OAuth2AccessTokenResponse> response;
+		try {
+			response = this.restOperations.exchange(request, OAuth2AccessTokenResponse.class);
+		} catch (RestClientException ex) {
+			OAuth2Error oauth2Error = new OAuth2Error(INVALID_TOKEN_RESPONSE_ERROR_CODE,
+					"An error occurred while attempting to retrieve the OAuth 2.0 Access Token Response: " + ex.getMessage(), null);
+			throw new OAuth2AuthorizationException(oauth2Error, ex);
+		}
+
+		OAuth2AccessTokenResponse tokenResponse = response.getBody();
+
+		if (CollectionUtils.isEmpty(tokenResponse.getAccessToken().getScopes()) ||
+				tokenResponse.getRefreshToken() == null) {
+			OAuth2AccessTokenResponse.Builder tokenResponseBuilder = OAuth2AccessTokenResponse.withResponse(tokenResponse);
+
+			if (CollectionUtils.isEmpty(tokenResponse.getAccessToken().getScopes())) {
+				// As per spec, in Section 5.1 Successful Access Token Response
+				// https://tools.ietf.org/html/rfc6749#section-5.1
+				// If AccessTokenResponse.scope is empty, then default to the scope
+				// originally requested by the client in the Token Request
+				tokenResponseBuilder.scopes(refreshTokenGrantRequest.getAuthorizedClient().getAccessToken().getScopes());
+			}
+
+			if (tokenResponse.getRefreshToken() == null) {
+				// Reuse existing refresh token
+				tokenResponseBuilder.refreshToken(refreshTokenGrantRequest.getAuthorizedClient().getRefreshToken().getTokenValue());
+			}
+
+			tokenResponse = tokenResponseBuilder.build();
+		}
+
+		return tokenResponse;
+	}
+
+	/**
+	 * Sets the {@link Converter} used for converting the {@link OAuth2RefreshTokenGrantRequest}
+	 * to a {@link RequestEntity} representation of the OAuth 2.0 Access Token Request.
+	 *
+	 * @param requestEntityConverter the {@link Converter} used for converting to a {@link RequestEntity} representation of the Access Token Request
+	 */
+	public void setRequestEntityConverter(Converter<OAuth2RefreshTokenGrantRequest, RequestEntity<?>> requestEntityConverter) {
+		Assert.notNull(requestEntityConverter, "requestEntityConverter cannot be null");
+		this.requestEntityConverter = requestEntityConverter;
+	}
+
+	/**
+	 * Sets the {@link RestOperations} used when requesting the OAuth 2.0 Access Token Response.
+	 *
+	 * <p>
+	 * <b>NOTE:</b> At a minimum, the supplied {@code restOperations} must be configured with the following:
+	 * <ol>
+	 *  <li>{@link HttpMessageConverter}'s - {@link FormHttpMessageConverter} and {@link OAuth2AccessTokenResponseHttpMessageConverter}</li>
+	 *  <li>{@link ResponseErrorHandler} - {@link OAuth2ErrorResponseErrorHandler}</li>
+	 * </ol>
+	 *
+	 * @param restOperations the {@link RestOperations} used when requesting the Access Token Response
+	 */
+	public void setRestOperations(RestOperations restOperations) {
+		Assert.notNull(restOperations, "restOperations cannot be null");
+		this.restOperations = restOperations;
+	}
+}

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/OAuth2RefreshTokenGrantRequest.java

@@ -0,0 +1,82 @@
+/*
+ * Copyright 2002-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.oauth2.client.endpoint;
+
+import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
+import org.springframework.security.oauth2.core.AuthorizationGrantType;
+import org.springframework.util.Assert;
+
+import java.util.Collections;
+import java.util.LinkedHashSet;
+import java.util.Set;
+
+/**
+ * An OAuth 2.0 Refresh Token Grant request that holds
+ * the {@link OAuth2AuthorizedClient authorized client}.
+ *
+ * @author Joe Grandja
+ * @since 5.2
+ * @see AbstractOAuth2AuthorizationGrantRequest
+ * @see OAuth2AuthorizedClient
+ * @see <a target="_blank" href="https://tools.ietf.org/html/rfc6749#section-6">Section 6 Refreshing an Access Token</a>
+ */
+public class OAuth2RefreshTokenGrantRequest extends AbstractOAuth2AuthorizationGrantRequest {
+	private final OAuth2AuthorizedClient authorizedClient;
+	private final Set<String> scopes;
+
+	/**
+	 * Constructs an {@code OAuth2RefreshTokenGrantRequest} using the provided parameters.
+	 *
+	 * @param authorizedClient the authorized client
+	 */
+	public OAuth2RefreshTokenGrantRequest(OAuth2AuthorizedClient authorizedClient) {
+		this(authorizedClient, Collections.emptySet());
+	}
+
+	/**
+	 * Constructs an {@code OAuth2RefreshTokenGrantRequest} using the provided parameters.
+	 *
+	 * @param authorizedClient the authorized client
+	 * @param scopes the scopes
+	 */
+	public OAuth2RefreshTokenGrantRequest(OAuth2AuthorizedClient authorizedClient, Set<String> scopes) {
+		super(AuthorizationGrantType.REFRESH_TOKEN);
+		Assert.notNull(authorizedClient, "authorizedClient cannot be null");
+		Assert.notNull(authorizedClient.getRefreshToken(), "authorizedClient.refreshToken cannot be null");
+		this.authorizedClient = authorizedClient;
+		this.scopes = Collections.unmodifiableSet(scopes != null ?
+				new LinkedHashSet<>(scopes) : Collections.emptySet());
+
+	}
+
+	/**
+	 * Returns the {@link OAuth2AuthorizedClient authorized client}.
+	 *
+	 * @return the {@link OAuth2AuthorizedClient}
+	 */
+	public OAuth2AuthorizedClient getAuthorizedClient() {
+		return this.authorizedClient;
+	}
+
+	/**
+	 * Returns the scope(s).
+	 *
+	 * @return the scope(s)
+	 */
+	public Set<String> getScopes() {
+		return this.scopes;
+	}
+}

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/OAuth2RefreshTokenGrantRequestEntityConverter.java

@@ -0,0 +1,89 @@
+/*
+ * Copyright 2002-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.oauth2.client.endpoint;
+
+import org.springframework.core.convert.converter.Converter;
+import org.springframework.http.HttpHeaders;
+import org.springframework.http.HttpMethod;
+import org.springframework.http.RequestEntity;
+import org.springframework.security.oauth2.client.registration.ClientRegistration;
+import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
+import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
+import org.springframework.util.CollectionUtils;
+import org.springframework.util.LinkedMultiValueMap;
+import org.springframework.util.MultiValueMap;
+import org.springframework.util.StringUtils;
+import org.springframework.web.util.UriComponentsBuilder;
+
+import java.net.URI;
+
+/**
+ * A {@link Converter} that converts the provided {@link OAuth2RefreshTokenGrantRequest}
+ * to a {@link RequestEntity} representation of an OAuth 2.0 Access Token Request
+ * for the Refresh Token Grant.
+ *
+ * @author Joe Grandja
+ * @since 5.2
+ * @see Converter
+ * @see OAuth2RefreshTokenGrantRequest
+ * @see RequestEntity
+ */
+public class OAuth2RefreshTokenGrantRequestEntityConverter implements Converter<OAuth2RefreshTokenGrantRequest, RequestEntity<?>> {
+
+	/**
+	 * Returns the {@link RequestEntity} used for the Access Token Request.
+	 *
+	 * @param refreshTokenGrantRequest the refresh token grant request
+	 * @return the {@link RequestEntity} used for the Access Token Request
+	 */
+	@Override
+	public RequestEntity<?> convert(OAuth2RefreshTokenGrantRequest refreshTokenGrantRequest) {
+		ClientRegistration clientRegistration = refreshTokenGrantRequest.getAuthorizedClient().getClientRegistration();
+
+		HttpHeaders headers = OAuth2AuthorizationGrantRequestEntityUtils.getTokenRequestHeaders(clientRegistration);
+		MultiValueMap<String, String> formParameters = buildFormParameters(refreshTokenGrantRequest);
+		URI uri = UriComponentsBuilder.fromUriString(clientRegistration.getProviderDetails().getTokenUri())
+				.build()
+				.toUri();
+
+		return new RequestEntity<>(formParameters, headers, HttpMethod.POST, uri);
+	}
+
+	/**
+	 * Returns a {@link MultiValueMap} of the form parameters used for the Access Token Request body.
+	 *
+	 * @param refreshTokenGrantRequest the refresh token grant request
+	 * @return a {@link MultiValueMap} of the form parameters used for the Access Token Request body
+	 */
+	private MultiValueMap<String, String> buildFormParameters(OAuth2RefreshTokenGrantRequest refreshTokenGrantRequest) {
+		ClientRegistration clientRegistration = refreshTokenGrantRequest.getAuthorizedClient().getClientRegistration();
+
+		MultiValueMap<String, String> formParameters = new LinkedMultiValueMap<>();
+		formParameters.add(OAuth2ParameterNames.GRANT_TYPE, refreshTokenGrantRequest.getGrantType().getValue());
+		formParameters.add(OAuth2ParameterNames.REFRESH_TOKEN,
+				refreshTokenGrantRequest.getAuthorizedClient().getRefreshToken().getTokenValue());
+		if (!CollectionUtils.isEmpty(refreshTokenGrantRequest.getScopes())) {
+			formParameters.add(OAuth2ParameterNames.SCOPE,
+					StringUtils.collectionToDelimitedString(refreshTokenGrantRequest.getScopes(), " "));
+		}
+		if (ClientAuthenticationMethod.POST.equals(clientRegistration.getClientAuthenticationMethod())) {
+			formParameters.add(OAuth2ParameterNames.CLIENT_ID, clientRegistration.getClientId());
+			formParameters.add(OAuth2ParameterNames.CLIENT_SECRET, clientRegistration.getClientSecret());
+		}
+
+		return formParameters;
+	}
+}