Simplify population of OAuth2AuthorizationContext

Author: jgrandja

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/ClientCredentialsOAuth2AuthorizedClientProvider.java

@@ -19,6 +19,7 @@
 import org.springframework.security.oauth2.client.endpoint.DefaultClientCredentialsTokenResponseClient;
 import org.springframework.security.oauth2.client.endpoint.OAuth2AccessTokenResponseClient;
 import org.springframework.security.oauth2.client.endpoint.OAuth2ClientCredentialsGrantRequest;
+import org.springframework.security.oauth2.client.registration.ClientRegistration;
 import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
 import org.springframework.security.oauth2.client.web.OAuth2AuthorizedClientRepository;
 import org.springframework.security.oauth2.core.AuthorizationGrantType;
@@ -38,8 +39,8 @@
  * @see DefaultClientCredentialsTokenResponseClient
  */
 public final class ClientCredentialsOAuth2AuthorizedClientProvider implements OAuth2AuthorizedClientProvider {
-	private static final String HTTP_SERVLET_REQUEST_ATTR_NAME = HttpServletRequest.class.getName();
-	private static final String HTTP_SERVLET_RESPONSE_ATTR_NAME = HttpServletResponse.class.getName();
+	private static final String HTTP_SERVLET_REQUEST_ATTRIBUTE_NAME = HttpServletRequest.class.getName();
+	private static final String HTTP_SERVLET_RESPONSE_ATTRIBUTE_NAME = HttpServletResponse.class.getName();
 	private final ClientRegistrationRepository clientRegistrationRepository;
 	private final OAuth2AuthorizedClientRepository authorizedClientRepository;
 	private OAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest> accessTokenResponseClient =
@@ -59,6 +60,22 @@ public ClientCredentialsOAuth2AuthorizedClientProvider(ClientRegistrationReposit
 		this.authorizedClientRepository = authorizedClientRepository;
 	}
 
+	/**
+	 * Attempt to authorize (or re-authorize) the {@link OAuth2AuthorizationContext#getClientRegistration() client} in the provided {@code context}.
+	 * Returns {@code null} if authorization (or re-authorization) is not supported,
+	 * e.g. the client's {@link ClientRegistration#getAuthorizationGrantType() authorization grant type}
+	 * is not {@link AuthorizationGrantType#CLIENT_CREDENTIALS client_credentials}.
+	 *
+	 * <p>
+	 * The following {@link OAuth2AuthorizationContext#getAttributes() context attributes} are supported:
+	 * <ol>
+	 *  <li>{@code "javax.servlet.http.HttpServletRequest"} (required) - the {@code HttpServletRequest}</li>
+	 *  <li>{@code "javax.servlet.http.HttpServletResponse"} (required) - the {@code HttpServletResponse}</li>
+	 * </ol>
+	 *
+	 * @param context the context that holds authorization-specific state for the client
+	 * @return the {@link OAuth2AuthorizedClient} or {@code null} if authorization (or re-authorization) is not supported
+	 */
 	@Override
 	@Nullable
 	public OAuth2AuthorizedClient authorize(OAuth2AuthorizationContext context) {
@@ -67,10 +84,10 @@ public OAuth2AuthorizedClient authorize(OAuth2AuthorizationContext context) {
 			return null;
 		}
 
-		HttpServletRequest request = context.getAttribute(HTTP_SERVLET_REQUEST_ATTR_NAME);
-		HttpServletResponse response = context.getAttribute(HTTP_SERVLET_RESPONSE_ATTR_NAME);
-		Assert.notNull(request, "context.HttpServletRequest cannot be null");
-		Assert.notNull(response, "context.HttpServletResponse cannot be null");
+		HttpServletRequest request = context.getAttribute(HTTP_SERVLET_REQUEST_ATTRIBUTE_NAME);
+		HttpServletResponse response = context.getAttribute(HTTP_SERVLET_RESPONSE_ATTRIBUTE_NAME);
+		Assert.notNull(request, "The context attribute cannot be null '" + HTTP_SERVLET_REQUEST_ATTRIBUTE_NAME + "'");
+		Assert.notNull(response, "The context attribute cannot be null '" + HTTP_SERVLET_RESPONSE_ATTRIBUTE_NAME + "'");
 
 		// As per spec, in section 4.4.3 Access Token Response
 		// https://tools.ietf.org/html/rfc6749#section-4.4.3

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/RefreshTokenOAuth2AuthorizedClientProvider.java

@@ -24,10 +24,13 @@
 import org.springframework.security.oauth2.core.AuthorizationGrantType;
 import org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse;
 import org.springframework.util.Assert;
+import org.springframework.util.StringUtils;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import java.util.Arrays;
 import java.util.Set;
+import java.util.stream.Collectors;
 
 /**
  * An implementation of an {@link OAuth2AuthorizedClientProvider}
@@ -39,9 +42,17 @@
  * @see DefaultRefreshTokenTokenResponseClient
  */
 public final class RefreshTokenOAuth2AuthorizedClientProvider implements OAuth2AuthorizedClientProvider {
-	private static final String HTTP_SERVLET_REQUEST_ATTR_NAME = HttpServletRequest.class.getName();
-	private static final String HTTP_SERVLET_RESPONSE_ATTR_NAME = HttpServletResponse.class.getName();
-	private static final String SCOPE_ATTR_NAME = "SCOPE";
+	/**
+	 * The name of the {@link OAuth2AuthorizationContext#getAttribute(String) attribute}
+	 * in the {@link OAuth2AuthorizationContext context} associated to the value for the "requested scope(s)".
+	 * The value of the attribute is a space-delimited or comma-delimited {@code String} of scope(s)
+	 * to be requested by the {@link OAuth2AuthorizationContext#getClientRegistration() client}.
+	 */
+	public static final String REQUEST_SCOPE_ATTRIBUTE_NAME = "org.springframework.security.oauth2.client.REQUEST_SCOPE";
+
+	private static final String HTTP_SERVLET_REQUEST_ATTRIBUTE_NAME = HttpServletRequest.class.getName();
+	private static final String HTTP_SERVLET_RESPONSE_ATTRIBUTE_NAME = HttpServletResponse.class.getName();
+
 	private final ClientRegistrationRepository clientRegistrationRepository;
 	private final OAuth2AuthorizedClientRepository authorizedClientRepository;
 	private OAuth2AccessTokenResponseClient<OAuth2RefreshTokenGrantRequest> accessTokenResponseClient =
@@ -61,6 +72,23 @@ public RefreshTokenOAuth2AuthorizedClientProvider(ClientRegistrationRepository c
 		this.authorizedClientRepository = authorizedClientRepository;
 	}
 
+	/**
+	 * Attempt to re-authorize the {@link OAuth2AuthorizationContext#getClientRegistration() client} in the provided {@code context}.
+	 * Returns {@code null} if re-authorization is not supported,
+	 * e.g. the {@link OAuth2AuthorizedClient#getRefreshToken() refresh token} is not available for the
+	 * {@link OAuth2AuthorizationContext#getAuthorizedClient() authorized client}.
+	 *
+	 * <p>
+	 * The following {@link OAuth2AuthorizationContext#getAttributes() context attributes} are supported:
+	 * <ol>
+	 *  <li>{@code "javax.servlet.http.HttpServletRequest"} (required) - the {@code HttpServletRequest}</li>
+	 *  <li>{@code "javax.servlet.http.HttpServletResponse"} (required) - the {@code HttpServletResponse}</li>
+	 *  <li>{@code "org.springframework.security.oauth2.client.REQUEST_SCOPE"} (optional) - a space-delimited or comma-delimited {@code String} of scope(s) to be requested by the {@link OAuth2AuthorizationContext#getClientRegistration() client}</li>
+	 * </ol>
+	 *
+	 * @param context the context that holds authorization-specific state for the client
+	 * @return the {@link OAuth2AuthorizedClient} or {@code null} if re-authorization is not supported
+	 */
 	@Override
 	@Nullable
 	public OAuth2AuthorizedClient authorize(OAuth2AuthorizationContext context) {
@@ -69,16 +97,16 @@ public OAuth2AuthorizedClient authorize(OAuth2AuthorizationContext context) {
 			return null;
 		}
 
-		HttpServletRequest request = context.getAttribute(HTTP_SERVLET_REQUEST_ATTR_NAME);
-		HttpServletResponse response = context.getAttribute(HTTP_SERVLET_RESPONSE_ATTR_NAME);
-		Assert.notNull(request, "context.HttpServletRequest cannot be null");
-		Assert.notNull(response, "context.HttpServletResponse cannot be null");
+		HttpServletRequest request = context.getAttribute(HTTP_SERVLET_REQUEST_ATTRIBUTE_NAME);
+		HttpServletResponse response = context.getAttribute(HTTP_SERVLET_RESPONSE_ATTRIBUTE_NAME);
+		Assert.notNull(request, "The context attribute cannot be null '" + HTTP_SERVLET_REQUEST_ATTRIBUTE_NAME + "'");
+		Assert.notNull(response, "The context attribute cannot be null '" + HTTP_SERVLET_RESPONSE_ATTRIBUTE_NAME + "'");
 
-		Object scopesObj = context.getAttribute(SCOPE_ATTR_NAME);
+		String requestScope = context.getAttribute(REQUEST_SCOPE_ATTRIBUTE_NAME);
 		Set<String> scopes = null;
-		if (scopesObj != null) {
-			Assert.isTrue(scopesObj instanceof Set, "The '" + SCOPE_ATTR_NAME + "' attribute must be of type " + Set.class.getName());
-			scopes = (Set<String>) scopesObj;
+		if (!StringUtils.isEmpty(requestScope)) {
+			String delimiter = requestScope.indexOf(',') != -1 ? "," : " ";
+			scopes = Arrays.stream(StringUtils.delimitedListToStringArray(requestScope, delimiter, " ")).collect(Collectors.toSet());
 		}
 
 		OAuth2RefreshTokenGrantRequest refreshTokenGrantRequest =

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/method/annotation/OAuth2AuthorizedClientArgumentResolver.java

@@ -123,17 +123,16 @@ public Object resolveArgument(MethodParameter parameter,
 
 		HttpServletResponse servletResponse = webRequest.getNativeResponse(HttpServletResponse.class);
 
-		OAuth2AuthorizationContext.Builder authorizationContextBuilder = OAuth2AuthorizationContext.authorize(clientRegistration);
-		if (principal == null) {
-			authorizationContextBuilder.principal("anonymousUser");
+		OAuth2AuthorizationContext.Builder contextBuilder = OAuth2AuthorizationContext.authorize(clientRegistration);
+		if (principal != null) {
+			contextBuilder.principal(principal);
 		} else {
-			authorizationContextBuilder.principal(principal);
+			contextBuilder.principal("anonymousUser");
 		}
-		OAuth2AuthorizationContext authorizationContext = authorizationContextBuilder
+		OAuth2AuthorizationContext authorizationContext = contextBuilder
 				.attribute(HttpServletRequest.class.getName(), servletRequest)
 				.attribute(HttpServletResponse.class.getName(), servletResponse)
 				.build();
-
 		return this.authorizedClientProvider.authorize(authorizationContext);
 	}
 

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/reactive/function/client/ServletOAuth2AuthorizedClientExchangeFilterFunction.java

@@ -20,7 +20,6 @@
 import org.springframework.beans.factory.DisposableBean;
 import org.springframework.beans.factory.InitializingBean;
 import org.springframework.security.core.Authentication;
-import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.oauth2.client.AuthorizationCodeOAuth2AuthorizedClientProvider;
 import org.springframework.security.oauth2.client.ClientCredentialsOAuth2AuthorizedClientProvider;
@@ -54,7 +53,7 @@
 import java.time.Clock;
 import java.time.Duration;
 import java.time.Instant;
-import java.util.Collection;
+import java.util.HashMap;
 import java.util.Map;
 import java.util.function.Consumer;
 
@@ -317,7 +316,7 @@ public Mono<ClientResponse> filter(ClientRequest request, ExchangeFunction next)
 				.filter(req -> req.attribute(OAUTH2_AUTHORIZED_CLIENT_ATTR_NAME).isPresent())
 				.switchIfEmpty(mergeRequestAttributesFromContext(request))
 				.filter(req -> req.attribute(OAUTH2_AUTHORIZED_CLIENT_ATTR_NAME).isPresent())
-				.flatMap(req -> reauthorizeClientIfNecessary(req, next, getOAuth2AuthorizedClient(req.attributes())))
+				.flatMap(req -> reauthorizeClientIfNecessary(getOAuth2AuthorizedClient(req.attributes()), req))
 				.map(authorizedClient -> bearer(request, authorizedClient))
 				.flatMap(next::exchange)
 				.switchIfEmpty(next.exchange(request));
@@ -388,48 +387,59 @@ private void populateDefaultOAuth2AuthorizedClient(Map<String, Object> attrs) {
 			OAuth2AuthorizedClient authorizedClient = this.authorizedClientRepository.loadAuthorizedClient(
 					clientRegistrationId, authentication, request);
 			if (authorizedClient == null) {
-				authorizedClient = getAuthorizedClient(clientRegistrationId, attrs);
+				authorizedClient = authorizeClient(clientRegistrationId, attrs);
 			}
 			oauth2AuthorizedClient(authorizedClient).accept(attrs);
 		}
 	}
 
-	private OAuth2AuthorizedClient getAuthorizedClient(String clientRegistrationId, Map<String, Object> attrs) {
+	private OAuth2AuthorizedClient authorizeClient(String clientRegistrationId, Map<String, Object> attributes) {
 		ClientRegistration clientRegistration = this.clientRegistrationRepository.findByRegistrationId(clientRegistrationId);
 		if (clientRegistration == null) {
 			throw new IllegalArgumentException("Could not find ClientRegistration with id " + clientRegistrationId);
 		}
-		Authentication authentication = getAuthentication(attrs);
-		if (authentication == null) {
-			authentication = new PrincipalNameAuthentication("anonymousUser");
+
+		OAuth2AuthorizationContext.Builder contextBuilder = OAuth2AuthorizationContext.authorize(clientRegistration);
+		Authentication authentication = getAuthentication(attributes);
+		if (authentication != null) {
+			contextBuilder.principal(authentication);
+		} else {
+			contextBuilder.principal("anonymousUser");
 		}
-		OAuth2AuthorizationContext authorizationContext = OAuth2AuthorizationContext.authorize(clientRegistration)
-				.principal(authentication)
-				.attribute(HttpServletRequest.class.getName(), getRequest(attrs))
-				.attribute(HttpServletResponse.class.getName(), getResponse(attrs))
+		OAuth2AuthorizationContext authorizationContext = contextBuilder
+				.attributes(defaultContextAttributes(attributes))
 				.build();
 		return this.authorizedClientProvider.authorize(authorizationContext);
 	}
 
 	private Mono<OAuth2AuthorizedClient> reauthorizeClientIfNecessary(
-			ClientRequest request, ExchangeFunction next, OAuth2AuthorizedClient authorizedClient) {
+			OAuth2AuthorizedClient authorizedClient, ClientRequest request) {
 		if (this.authorizedClientProvider == null || !hasTokenExpired(authorizedClient)) {
 			return Mono.just(authorizedClient);
 		}
 
 		Map<String, Object> attributes = request.attributes();
+
+		OAuth2AuthorizationContext.Builder contextBuilder = OAuth2AuthorizationContext.reauthorize(authorizedClient);
 		Authentication authentication = getAuthentication(attributes);
-		if (authentication == null) {
-			authentication = new PrincipalNameAuthentication(authorizedClient.getPrincipalName());
+		if (authentication != null) {
+			contextBuilder.principal(authentication);
+		} else {
+			contextBuilder.principal(authorizedClient.getPrincipalName());
 		}
-		OAuth2AuthorizationContext authorizationContext = OAuth2AuthorizationContext.reauthorize(authorizedClient)
-				.principal(authentication)
-				.attribute(HttpServletRequest.class.getName(), getRequest(attributes))
-				.attribute(HttpServletResponse.class.getName(), getResponse(attributes))
+		OAuth2AuthorizationContext authorizationContext = contextBuilder
+				.attributes(defaultContextAttributes(attributes))
 				.build();
 		return Mono.fromSupplier(() -> this.authorizedClientProvider.authorize(authorizationContext));
 	}
 
+	private Map<String, Object> defaultContextAttributes(Map<String, Object> attributes) {
+		Map<String, Object> contextAttributes = new HashMap<>();
+		contextAttributes.put(HttpServletRequest.class.getName(), getRequest(attributes));
+		contextAttributes.put(HttpServletResponse.class.getName(), getResponse(attributes));
+		return contextAttributes;
+	}
+
 	private boolean hasTokenExpired(OAuth2AuthorizedClient authorizedClient) {
 		Instant now = this.clock.instant();
 		Instant expiresAt = authorizedClient.getAccessToken().getExpiresAt();
@@ -478,53 +488,6 @@ static HttpServletResponse getResponse(Map<String, Object> attrs) {
 		return (HttpServletResponse) attrs.get(HTTP_SERVLET_RESPONSE_ATTR_NAME);
 	}
 
-	private static class PrincipalNameAuthentication implements Authentication {
-		private final String username;
-
-		private PrincipalNameAuthentication(String username) {
-			this.username = username;
-		}
-
-		@Override
-		public Collection<? extends GrantedAuthority> getAuthorities() {
-			throw unsupported();
-		}
-
-		@Override
-		public Object getCredentials() {
-			throw unsupported();
-		}
-
-		@Override
-		public Object getDetails() {
-			throw unsupported();
-		}
-
-		@Override
-		public Object getPrincipal() {
-			throw unsupported();
-		}
-
-		@Override
-		public boolean isAuthenticated() {
-			throw unsupported();
-		}
-
-		@Override
-		public void setAuthenticated(boolean isAuthenticated) throws IllegalArgumentException {
-			throw unsupported();
-		}
-
-		@Override
-		public String getName() {
-			return this.username;
-		}
-
-		private UnsupportedOperationException unsupported() {
-			return new UnsupportedOperationException("Not Supported");
-		}
-	}
-
 	private static class RequestContextSubscriber<T> implements CoreSubscriber<T> {
 		private static final String CONTEXT_DEFAULTED_ATTR_NAME = RequestContextSubscriber.class.getName().concat(".CONTEXT_DEFAULTED_ATTR_NAME");
 		private final CoreSubscriber<T> delegate;

oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/ClientCredentialsOAuth2AuthorizedClientProviderTests.java

@@ -106,7 +106,7 @@ public void authorizeWhenHttpServletRequestIsNullThenThrowIllegalArgumentExcepti
 				OAuth2AuthorizationContext.authorize(this.clientRegistration).principal(this.principal).build();
 		assertThatThrownBy(() -> this.authorizedClientProvider.authorize(authorizationContext))
 				.isInstanceOf(IllegalArgumentException.class)
-				.hasMessage("context.HttpServletRequest cannot be null");
+				.hasMessage("The context attribute cannot be null 'javax.servlet.http.HttpServletRequest'");
 	}
 
 	@Test
@@ -118,7 +118,7 @@ public void authorizeWhenHttpServletResponseIsNullThenThrowIllegalArgumentExcept
 						.build();
 		assertThatThrownBy(() -> this.authorizedClientProvider.authorize(authorizationContext))
 				.isInstanceOf(IllegalArgumentException.class)
-				.hasMessage("context.HttpServletResponse cannot be null");
+				.hasMessage("The context attribute cannot be null 'javax.servlet.http.HttpServletResponse'");
 	}
 
 	@Test