Skip to content

Commit 807ce30

Browse files
Steve Riesenbergsjohnr
Steve Riesenberg
authored and
sjohnr
committed
Support additional client authentication methods
Closes gh-9780
1 parent 0cba087 commit 807ce30

File tree

2 files changed

+75
-29
lines changed

2 files changed

+75
-29
lines changed

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/registration/ClientRegistrations.java

Lines changed: 4 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
/*
2-
* Copyright 2002-2020 the original author or authors.
2+
* Copyright 2002-2021 the original author or authors.
33
*
44
* Licensed under the Apache License, Version 2.0 (the "License");
55
* you may not use this file except in compliance with the License.
@@ -239,8 +239,7 @@ private static ClientRegistration.Builder withProviderConfiguration(Authorizatio
239239
() -> "The Issuer \"" + metadataIssuer + "\" provided in the configuration metadata did "
240240
+ "not match the requested issuer \"" + issuer + "\"");
241241
String name = URI.create(issuer).getHost();
242-
ClientAuthenticationMethod method = getClientAuthenticationMethod(issuer,
243-
metadata.getTokenEndpointAuthMethods());
242+
ClientAuthenticationMethod method = getClientAuthenticationMethod(metadata.getTokenEndpointAuthMethods());
244243
Map<String, Object> configurationMetadata = new LinkedHashMap<>(metadata.toJSONObject());
245244
// @formatter:off
246245
return ClientRegistration.withRegistrationId(name)
@@ -256,7 +255,7 @@ private static ClientRegistration.Builder withProviderConfiguration(Authorizatio
256255
// @formatter:on
257256
}
258257

259-
private static ClientAuthenticationMethod getClientAuthenticationMethod(String issuer,
258+
private static ClientAuthenticationMethod getClientAuthenticationMethod(
260259
List<com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod> metadataAuthMethods) {
261260
if (metadataAuthMethods == null || metadataAuthMethods
262261
.contains(com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod.CLIENT_SECRET_BASIC)) {
@@ -269,10 +268,7 @@ private static ClientAuthenticationMethod getClientAuthenticationMethod(String i
269268
if (metadataAuthMethods.contains(com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod.NONE)) {
270269
return ClientAuthenticationMethod.NONE;
271270
}
272-
throw new IllegalArgumentException(
273-
"Only ClientAuthenticationMethod.CLIENT_SECRET_BASIC, ClientAuthenticationMethod.CLIENT_SECRET_POST and "
274-
+ "ClientAuthenticationMethod.NONE are supported. The issuer \"" + issuer
275-
+ "\" returned a configuration of " + metadataAuthMethods);
271+
return null;
276272
}
277273

278274
private interface ThrowingFunction<S, T, E extends Throwable> {

oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/registration/ClientRegistrationsTests.java

Lines changed: 71 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
/*
2-
* Copyright 2002-2020 the original author or authors.
2+
* Copyright 2002-2021 the original author or authors.
33
*
44
* Licensed under the Apache License, Version 2.0 (the "License");
55
* you may not use this file except in compliance with the License.
@@ -298,6 +298,24 @@ public void issuerWhenOAuth2TokenEndpointAuthMethodsNullThenDefaulted() throws E
298298
.isEqualTo(ClientAuthenticationMethod.CLIENT_SECRET_BASIC);
299299
}
300300

301+
// gh-9780
302+
@Test
303+
public void issuerWhenClientSecretBasicAuthMethodThenMethodIsBasic() throws Exception {
304+
this.response.put("token_endpoint_auth_methods_supported", Arrays.asList("client_secret_basic"));
305+
ClientRegistration registration = registration("").build();
306+
assertThat(registration.getClientAuthenticationMethod())
307+
.isEqualTo(ClientAuthenticationMethod.CLIENT_SECRET_BASIC);
308+
}
309+
310+
// gh-9780
311+
@Test
312+
public void issuerWhenOAuth2ClientSecretBasicAuthMethodThenMethodIsBasic() throws Exception {
313+
this.response.put("token_endpoint_auth_methods_supported", Arrays.asList("client_secret_basic"));
314+
ClientRegistration registration = registrationOAuth2("", null).build();
315+
assertThat(registration.getClientAuthenticationMethod())
316+
.isEqualTo(ClientAuthenticationMethod.CLIENT_SECRET_BASIC);
317+
}
318+
301319
@Test
302320
public void issuerWhenTokenEndpointAuthMethodsPostThenMethodIsPost() throws Exception {
303321
this.response.put("token_endpoint_auth_methods_supported", Arrays.asList("client_secret_post"));
@@ -314,6 +332,46 @@ public void issuerWhenOAuth2TokenEndpointAuthMethodsPostThenMethodIsPost() throw
314332
.isEqualTo(ClientAuthenticationMethod.CLIENT_SECRET_POST);
315333
}
316334

335+
// gh-9780
336+
@Test
337+
public void issuerWhenClientSecretJwtAuthMethodThenMethodIsClientSecretBasic() throws Exception {
338+
this.response.put("token_endpoint_auth_methods_supported", Arrays.asList("client_secret_jwt"));
339+
ClientRegistration registration = registration("").build();
340+
// The client_secret_basic auth method is still the default
341+
assertThat(registration.getClientAuthenticationMethod())
342+
.isEqualTo(ClientAuthenticationMethod.CLIENT_SECRET_BASIC);
343+
}
344+
345+
// gh-9780
346+
@Test
347+
public void issuerWhenOAuth2ClientSecretJwtAuthMethodThenMethodIsClientSecretBasic() throws Exception {
348+
this.response.put("token_endpoint_auth_methods_supported", Arrays.asList("client_secret_jwt"));
349+
ClientRegistration registration = registrationOAuth2("", null).build();
350+
// The client_secret_basic auth method is still the default
351+
assertThat(registration.getClientAuthenticationMethod())
352+
.isEqualTo(ClientAuthenticationMethod.CLIENT_SECRET_BASIC);
353+
}
354+
355+
// gh-9780
356+
@Test
357+
public void issuerWhenPrivateKeyJwtAuthMethodThenMethodIsClientSecretBasic() throws Exception {
358+
this.response.put("token_endpoint_auth_methods_supported", Arrays.asList("private_key_jwt"));
359+
ClientRegistration registration = registration("").build();
360+
// The client_secret_basic auth method is still the default
361+
assertThat(registration.getClientAuthenticationMethod())
362+
.isEqualTo(ClientAuthenticationMethod.CLIENT_SECRET_BASIC);
363+
}
364+
365+
// gh-9780
366+
@Test
367+
public void issuerWhenOAuth2PrivateKeyJwtAuthMethodThenMethodIsClientSecretBasic() throws Exception {
368+
this.response.put("token_endpoint_auth_methods_supported", Arrays.asList("private_key_jwt"));
369+
ClientRegistration registration = registrationOAuth2("", null).build();
370+
// The client_secret_basic auth method is still the default
371+
assertThat(registration.getClientAuthenticationMethod())
372+
.isEqualTo(ClientAuthenticationMethod.CLIENT_SECRET_BASIC);
373+
}
374+
317375
@Test
318376
public void issuerWhenTokenEndpointAuthMethodsNoneThenMethodIsNone() throws Exception {
319377
this.response.put("token_endpoint_auth_methods_supported", Arrays.asList("none"));
@@ -328,32 +386,24 @@ public void issuerWhenOAuth2TokenEndpointAuthMethodsNoneThenMethodIsNone() throw
328386
assertThat(registration.getClientAuthenticationMethod()).isEqualTo(ClientAuthenticationMethod.NONE);
329387
}
330388

331-
/**
332-
* We currently only support client_secret_basic, so verify we have a meaningful error
333-
* until we add support.
334-
*/
389+
// gh-9780
335390
@Test
336-
public void issuerWhenTokenEndpointAuthMethodsInvalidThenException() {
391+
public void issuerWhenTlsClientAuthMethodThenSuccess() throws Exception {
337392
this.response.put("token_endpoint_auth_methods_supported", Arrays.asList("tls_client_auth"));
338-
// @formatter:off
339-
assertThatIllegalArgumentException()
340-
.isThrownBy(() -> registration(""))
341-
.withMessageContaining("Only ClientAuthenticationMethod.CLIENT_SECRET_BASIC, ClientAuthenticationMethod.CLIENT_SECRET_POST and "
342-
+ "ClientAuthenticationMethod.NONE are supported. The issuer \"" + this.issuer
343-
+ "\" returned a configuration of [tls_client_auth]");
344-
// @formatter:on
393+
ClientRegistration registration = registration("").build();
394+
// The client_secret_basic auth method is still the default
395+
assertThat(registration.getClientAuthenticationMethod())
396+
.isEqualTo(ClientAuthenticationMethod.CLIENT_SECRET_BASIC);
345397
}
346398

399+
// gh-9780
347400
@Test
348-
public void issuerWhenOAuth2TokenEndpointAuthMethodsInvalidThenException() {
401+
public void issuerWhenOAuth2TlsClientAuthMethodThenSuccess() throws Exception {
349402
this.response.put("token_endpoint_auth_methods_supported", Arrays.asList("tls_client_auth"));
350-
// @formatter:off
351-
assertThatIllegalArgumentException()
352-
.isThrownBy(() -> registrationOAuth2("", null))
353-
.withMessageContaining("Only ClientAuthenticationMethod.CLIENT_SECRET_BASIC, ClientAuthenticationMethod.CLIENT_SECRET_POST and "
354-
+ "ClientAuthenticationMethod.NONE are supported. The issuer \"" + this.issuer
355-
+ "\" returned a configuration of [tls_client_auth]");
356-
// @formatter:on
403+
ClientRegistration registration = registrationOAuth2("", null).build();
404+
// The client_secret_basic auth method is still the default
405+
assertThat(registration.getClientAuthenticationMethod())
406+
.isEqualTo(ClientAuthenticationMethod.CLIENT_SECRET_BASIC);
357407
}
358408

359409
@Test

0 commit comments

Comments
 (0)