Skip to content

Commit 94324eb

Browse files
author
Steve Riesenberg
committed
Support additional client authentication methods
Closes gh-9780
1 parent 9b05afd commit 94324eb

File tree

2 files changed

+75
-29
lines changed

2 files changed

+75
-29
lines changed

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/registration/ClientRegistrations.java

Lines changed: 4 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
/*
2-
* Copyright 2002-2020 the original author or authors.
2+
* Copyright 2002-2021 the original author or authors.
33
*
44
* Licensed under the Apache License, Version 2.0 (the "License");
55
* you may not use this file except in compliance with the License.
@@ -239,8 +239,7 @@ private static ClientRegistration.Builder withProviderConfiguration(Authorizatio
239239
() -> "The Issuer \"" + metadataIssuer + "\" provided in the configuration metadata did "
240240
+ "not match the requested issuer \"" + issuer + "\"");
241241
String name = URI.create(issuer).getHost();
242-
ClientAuthenticationMethod method = getClientAuthenticationMethod(issuer,
243-
metadata.getTokenEndpointAuthMethods());
242+
ClientAuthenticationMethod method = getClientAuthenticationMethod(metadata.getTokenEndpointAuthMethods());
244243
Map<String, Object> configurationMetadata = new LinkedHashMap<>(metadata.toJSONObject());
245244
// @formatter:off
246245
return ClientRegistration.withRegistrationId(name)
@@ -256,7 +255,7 @@ private static ClientRegistration.Builder withProviderConfiguration(Authorizatio
256255
// @formatter:on
257256
}
258257

259-
private static ClientAuthenticationMethod getClientAuthenticationMethod(String issuer,
258+
private static ClientAuthenticationMethod getClientAuthenticationMethod(
260259
List<com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod> metadataAuthMethods) {
261260
if (metadataAuthMethods == null || metadataAuthMethods
262261
.contains(com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod.CLIENT_SECRET_BASIC)) {
@@ -269,10 +268,7 @@ private static ClientAuthenticationMethod getClientAuthenticationMethod(String i
269268
if (metadataAuthMethods.contains(com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod.NONE)) {
270269
return ClientAuthenticationMethod.NONE;
271270
}
272-
throw new IllegalArgumentException(
273-
"Only ClientAuthenticationMethod.CLIENT_SECRET_BASIC, ClientAuthenticationMethod.CLIENT_SECRET_POST and "
274-
+ "ClientAuthenticationMethod.NONE are supported. The issuer \"" + issuer
275-
+ "\" returned a configuration of " + metadataAuthMethods);
271+
return null;
276272
}
277273

278274
private interface ThrowingFunction<S, T, E extends Throwable> {

oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/registration/ClientRegistrationsTests.java

Lines changed: 71 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
/*
2-
* Copyright 2002-2020 the original author or authors.
2+
* Copyright 2002-2021 the original author or authors.
33
*
44
* Licensed under the Apache License, Version 2.0 (the "License");
55
* you may not use this file except in compliance with the License.
@@ -274,6 +274,24 @@ public void issuerWhenOAuth2TokenEndpointAuthMethodsNullThenDefaulted() throws E
274274
.isEqualTo(ClientAuthenticationMethod.CLIENT_SECRET_BASIC);
275275
}
276276

277+
// gh-9780
278+
@Test
279+
public void issuerWhenClientSecretBasicAuthMethodThenMethodIsBasic() throws Exception {
280+
this.response.put("token_endpoint_auth_methods_supported", Arrays.asList("client_secret_basic"));
281+
ClientRegistration registration = registration("").build();
282+
assertThat(registration.getClientAuthenticationMethod())
283+
.isEqualTo(ClientAuthenticationMethod.CLIENT_SECRET_BASIC);
284+
}
285+
286+
// gh-9780
287+
@Test
288+
public void issuerWhenOAuth2ClientSecretBasicAuthMethodThenMethodIsBasic() throws Exception {
289+
this.response.put("token_endpoint_auth_methods_supported", Arrays.asList("client_secret_basic"));
290+
ClientRegistration registration = registrationOAuth2("", null).build();
291+
assertThat(registration.getClientAuthenticationMethod())
292+
.isEqualTo(ClientAuthenticationMethod.CLIENT_SECRET_BASIC);
293+
}
294+
277295
@Test
278296
public void issuerWhenTokenEndpointAuthMethodsPostThenMethodIsPost() throws Exception {
279297
this.response.put("token_endpoint_auth_methods_supported", Arrays.asList("client_secret_post"));
@@ -290,6 +308,46 @@ public void issuerWhenOAuth2TokenEndpointAuthMethodsPostThenMethodIsPost() throw
290308
.isEqualTo(ClientAuthenticationMethod.CLIENT_SECRET_POST);
291309
}
292310

311+
// gh-9780
312+
@Test
313+
public void issuerWhenClientSecretJwtAuthMethodThenMethodIsClientSecretBasic() throws Exception {
314+
this.response.put("token_endpoint_auth_methods_supported", Arrays.asList("client_secret_jwt"));
315+
ClientRegistration registration = registration("").build();
316+
// The client_secret_basic auth method is still the default
317+
assertThat(registration.getClientAuthenticationMethod())
318+
.isEqualTo(ClientAuthenticationMethod.CLIENT_SECRET_BASIC);
319+
}
320+
321+
// gh-9780
322+
@Test
323+
public void issuerWhenOAuth2ClientSecretJwtAuthMethodThenMethodIsClientSecretBasic() throws Exception {
324+
this.response.put("token_endpoint_auth_methods_supported", Arrays.asList("client_secret_jwt"));
325+
ClientRegistration registration = registrationOAuth2("", null).build();
326+
// The client_secret_basic auth method is still the default
327+
assertThat(registration.getClientAuthenticationMethod())
328+
.isEqualTo(ClientAuthenticationMethod.CLIENT_SECRET_BASIC);
329+
}
330+
331+
// gh-9780
332+
@Test
333+
public void issuerWhenPrivateKeyJwtAuthMethodThenMethodIsClientSecretBasic() throws Exception {
334+
this.response.put("token_endpoint_auth_methods_supported", Arrays.asList("private_key_jwt"));
335+
ClientRegistration registration = registration("").build();
336+
// The client_secret_basic auth method is still the default
337+
assertThat(registration.getClientAuthenticationMethod())
338+
.isEqualTo(ClientAuthenticationMethod.CLIENT_SECRET_BASIC);
339+
}
340+
341+
// gh-9780
342+
@Test
343+
public void issuerWhenOAuth2PrivateKeyJwtAuthMethodThenMethodIsClientSecretBasic() throws Exception {
344+
this.response.put("token_endpoint_auth_methods_supported", Arrays.asList("private_key_jwt"));
345+
ClientRegistration registration = registrationOAuth2("", null).build();
346+
// The client_secret_basic auth method is still the default
347+
assertThat(registration.getClientAuthenticationMethod())
348+
.isEqualTo(ClientAuthenticationMethod.CLIENT_SECRET_BASIC);
349+
}
350+
293351
@Test
294352
public void issuerWhenTokenEndpointAuthMethodsNoneThenMethodIsNone() throws Exception {
295353
this.response.put("token_endpoint_auth_methods_supported", Arrays.asList("none"));
@@ -304,32 +362,24 @@ public void issuerWhenOAuth2TokenEndpointAuthMethodsNoneThenMethodIsNone() throw
304362
assertThat(registration.getClientAuthenticationMethod()).isEqualTo(ClientAuthenticationMethod.NONE);
305363
}
306364

307-
/**
308-
* We currently only support client_secret_basic, so verify we have a meaningful error
309-
* until we add support.
310-
*/
365+
// gh-9780
311366
@Test
312-
public void issuerWhenTokenEndpointAuthMethodsInvalidThenException() {
367+
public void issuerWhenTlsClientAuthMethodThenSuccess() throws Exception {
313368
this.response.put("token_endpoint_auth_methods_supported", Arrays.asList("tls_client_auth"));
314-
// @formatter:off
315-
assertThatIllegalArgumentException()
316-
.isThrownBy(() -> registration(""))
317-
.withMessageContaining("Only ClientAuthenticationMethod.CLIENT_SECRET_BASIC, ClientAuthenticationMethod.CLIENT_SECRET_POST and "
318-
+ "ClientAuthenticationMethod.NONE are supported. The issuer \"" + this.issuer
319-
+ "\" returned a configuration of [tls_client_auth]");
320-
// @formatter:on
369+
ClientRegistration registration = registration("").build();
370+
// The client_secret_basic auth method is still the default
371+
assertThat(registration.getClientAuthenticationMethod())
372+
.isEqualTo(ClientAuthenticationMethod.CLIENT_SECRET_BASIC);
321373
}
322374

375+
// gh-9780
323376
@Test
324-
public void issuerWhenOAuth2TokenEndpointAuthMethodsInvalidThenException() {
377+
public void issuerWhenOAuth2TlsClientAuthMethodThenSuccess() throws Exception {
325378
this.response.put("token_endpoint_auth_methods_supported", Arrays.asList("tls_client_auth"));
326-
// @formatter:off
327-
assertThatIllegalArgumentException()
328-
.isThrownBy(() -> registrationOAuth2("", null))
329-
.withMessageContaining("Only ClientAuthenticationMethod.CLIENT_SECRET_BASIC, ClientAuthenticationMethod.CLIENT_SECRET_POST and "
330-
+ "ClientAuthenticationMethod.NONE are supported. The issuer \"" + this.issuer
331-
+ "\" returned a configuration of [tls_client_auth]");
332-
// @formatter:on
379+
ClientRegistration registration = registrationOAuth2("", null).build();
380+
// The client_secret_basic auth method is still the default
381+
assertThat(registration.getClientAuthenticationMethod())
382+
.isEqualTo(ClientAuthenticationMethod.CLIENT_SECRET_BASIC);
333383
}
334384

335385
@Test

0 commit comments

Comments
 (0)