Refactor implementation of AadOAuth2UserService #32595
Conversation
ghost
added
the
|
API change check API changes are not detected in this pull request. |
backwind1233
changed the title
backwind1233
changed the title
backwind1233
requested review from
chenrujun,
hui1110,
Netyyyy,
saragluna,
stliu,
yiliuTo,
moarychan and
fangjian0423
as code owners
backwind1233
added
the
Client
| } | ||
|
|
||
| /** | ||
| * Creates a new instance of {@link AadOAuth2UserService}. | ||
| * | ||
| * @param properties the AAD authentication properties | ||
| * @param graphClient the graph client | ||
| * @param restTemplateBuilder the restTemplateBuilder |
| } | ||
|
|
||
| private AadOAuth2UserService(AadAuthenticationProperties properties, | ||
| GraphClient graphClient) { |
| /** | ||
| * Tests for {@link AadOAuth2UserService}. | ||
| */ | ||
| public class AadOAuth2UserServiceTest { |
...com/azure/spring/cloud/autoconfigure/aad/implementation/webapp/AadOAuth2UserServiceTest.java
Show resolved
Hide resolved
| import java.util.Arrays; | ||
| import java.util.HashSet; | ||
|
|
||
| public final class TestOAuth2AccessTokens { |
There was a problem hiding this comment.
Can this be an internal class?
| public static OAuth2AccessToken noScopes() { | ||
| return new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER, "no-scopes", Instant.now(), | ||
| Instant.now().plus(Duration.ofDays(1))); | ||
| } | ||
|
|
||
| public static OAuth2AccessToken scopes(String... scopes) { |
| class AadOAuth2UserServiceTest { | ||
| private ClientRegistration.Builder clientRegistrationBuilder; | ||
| private OidcIdToken idToken; | ||
| private AadOAuth2UserService aadOAuth2UserService; |
There was a problem hiding this comment.
I think loadUserWithCustomAuthorities() is the special one.
Other test cases could leverage the code in setup().
| private GraphClient graphClient; | ||
| private AadAuthenticationProperties properties; |
There was a problem hiding this comment.
I made a little change.
| idTokenClaims.put(StandardClaimNames.NAME, "user1"); | ||
| idTokenClaims.put(StandardClaimNames.EMAIL, "user1@example.com"); | ||
|
|
||
| this.idToken = new OidcIdToken("access-token", Instant.MIN, Instant.MAX, idTokenClaims); |
There was a problem hiding this comment.
seems like this idToken isn't used by each test case, we can consider making this instantiated in each test method instead.
There was a problem hiding this comment.
I think loadUserWithCustomAuthorities() is the special one.
Other test cases could leverage the code in setup().
There was a problem hiding this comment.
If a variable is not fit for all cases, we should narrow the scope to method. It's okay to have some duplication in the UT. Which will make each test case easy to read.
| private AadOAuth2UserService aadOAuth2UserService; | ||
| private OAuth2AccessToken accessToken; | ||
| private Map<String, Object> idTokenClaims = new HashMap<>(); | ||
| private GraphClient graphClient; |
| if (authentication != null) { | ||
| LOGGER.debug("User {}'s authorities saved from session: {}.", authentication.getName(), authentication.getAuthorities()); | ||
| return (DefaultOidcUser) session.getAttribute(DEFAULT_OIDC_USER); | ||
| } |
There was a problem hiding this comment.
Why not move this checking up to the top?
There was a problem hiding this comment.
can you make it more clear?
There was a problem hiding this comment.
I mean the checking for authentication != null can be done early, like the below code:
public OidcUser loadUser(OidcUserRequest userRequest) throws OAuth2AuthenticationException {
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
if (authentication != null) {
LOGGER.debug("User {}'s authorities saved from session: {}.", authentication.getName(), authentication.getAuthorities());
return (DefaultOidcUser) session.getAttribute(DEFAULT_OIDC_USER);
}
ServletRequestAttributes attr = (ServletRequestAttributes) RequestContextHolder.currentRequestAttributes();
HttpSession session = attr.getRequest().getSession(true);
// ...
return defaultOidcUser;
}There was a problem hiding this comment.
We should get the session object first.
| */ | ||
| @Override | ||
| public OidcUser loadUser(OidcUserRequest userRequest) throws OAuth2AuthenticationException { | ||
| // Delegate to the default implementation for loading a user | ||
| OidcUser oidcUser = oidcUserService.loadUser(userRequest); |
There was a problem hiding this comment.
This service is an extension for OidcUserService, if we remove the dependency of oidcUserService, it will not be a full Open ID Connect process that Spring Security implements. Some OAuth2AuthenticationExceptions will be ignored the new implementation will not throw OAuth2AuthenticationException .
There was a problem hiding this comment.
This service is an extension for
OidcUserService
I think it's an implementation of OAuth2UserService.
if we remove the dependency of oidcUserService, it will not be a full Open ID Connect process that Spring Security implements.
Yes, there are differences between our implementation Spring Security .
What dou mean the Open ID Connect process?
Some OAuth2AuthenticationExceptions will be ignored the new implementation will not throw OAuth2AuthenticationException .
So, is there any problem?
Description
Refer to Design for implementation of OAuth2UserService for more details.
All SDK Contribution checklist:
General Guidelines and Best Practices
Testing Guidelines