Add support for opaque access tokens

Closes gh-500

Author: jgrandja

oauth2-authorization-server/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2AuthorizationServerConfigurer.java

@@ -26,6 +26,8 @@
 import javax.servlet.http.HttpServletRequestWrapper;
 import javax.servlet.http.HttpServletResponse;
 
+import com.nimbusds.jose.jwk.source.JWKSource;
+
 import org.springframework.core.annotation.AnnotationUtils;
 import org.springframework.http.HttpMethod;
 import org.springframework.http.HttpStatus;
@@ -367,11 +369,12 @@ public void configure(B builder) {
 						providerSettings.getTokenIntrospectionEndpoint());
 		builder.addFilterAfter(postProcess(tokenIntrospectionEndpointFilter), FilterSecurityInterceptor.class);
 
-		NimbusJwkSetEndpointFilter jwkSetEndpointFilter =
-				new NimbusJwkSetEndpointFilter(
-						OAuth2ConfigurerUtils.getJwkSource(builder),
-						providerSettings.getJwkSetEndpoint());
-		builder.addFilterBefore(postProcess(jwkSetEndpointFilter), AbstractPreAuthenticatedProcessingFilter.class);
+		JWKSource<com.nimbusds.jose.proc.SecurityContext> jwkSource = OAuth2ConfigurerUtils.getJwkSource(builder);
+		if (jwkSource != null) {
+			NimbusJwkSetEndpointFilter jwkSetEndpointFilter = new NimbusJwkSetEndpointFilter(
+					jwkSource, providerSettings.getJwkSetEndpoint());
+			builder.addFilterBefore(postProcess(jwkSetEndpointFilter), AbstractPreAuthenticatedProcessingFilter.class);
+		}
 
 		OAuth2AuthorizationServerMetadataEndpointFilter authorizationServerMetadataEndpointFilter =
 				new OAuth2AuthorizationServerMetadataEndpointFilter(providerSettings);

oauth2-authorization-server/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2ConfigurerUtils.java

@@ -34,9 +34,11 @@
 import org.springframework.security.oauth2.server.authorization.InMemoryOAuth2AuthorizationService;
 import org.springframework.security.oauth2.server.authorization.JwtEncodingContext;
 import org.springframework.security.oauth2.server.authorization.JwtGenerator;
+import org.springframework.security.oauth2.server.authorization.OAuth2AccessTokenGenerator;
 import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationConsentService;
 import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
 import org.springframework.security.oauth2.server.authorization.OAuth2RefreshTokenGenerator;
+import org.springframework.security.oauth2.server.authorization.OAuth2TokenClaimsContext;
 import org.springframework.security.oauth2.server.authorization.OAuth2TokenCustomizer;
 import org.springframework.security.oauth2.server.authorization.OAuth2TokenGenerator;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
@@ -93,28 +95,55 @@ static <B extends HttpSecurityBuilder<B>> OAuth2TokenGenerator<? extends OAuth2T
 		if (tokenGenerator == null) {
 			tokenGenerator = getOptionalBean(builder, OAuth2TokenGenerator.class);
 			if (tokenGenerator == null) {
-				JwtGenerator jwtGenerator = new JwtGenerator(getJwtEncoder(builder));
-				OAuth2TokenCustomizer<JwtEncodingContext> jwtCustomizer = getJwtCustomizer(builder);
-				if (jwtCustomizer != null) {
-					jwtGenerator.setJwtCustomizer(jwtCustomizer);
+				JwtGenerator jwtGenerator = getJwtGenerator(builder);
+				OAuth2AccessTokenGenerator accessTokenGenerator = new OAuth2AccessTokenGenerator();
+				OAuth2TokenCustomizer<OAuth2TokenClaimsContext> accessTokenCustomizer = getAccessTokenCustomizer(builder);
+				if (accessTokenCustomizer != null) {
+					accessTokenGenerator.setAccessTokenCustomizer(accessTokenCustomizer);
 				}
 				OAuth2RefreshTokenGenerator refreshTokenGenerator = new OAuth2RefreshTokenGenerator();
-				tokenGenerator = new DelegatingOAuth2TokenGenerator(jwtGenerator, refreshTokenGenerator);
+				if (jwtGenerator != null) {
+					tokenGenerator = new DelegatingOAuth2TokenGenerator(
+							jwtGenerator, accessTokenGenerator, refreshTokenGenerator);
+				} else {
+					tokenGenerator = new DelegatingOAuth2TokenGenerator(
+							accessTokenGenerator, refreshTokenGenerator);
+				}
 			}
 			builder.setSharedObject(OAuth2TokenGenerator.class, tokenGenerator);
 		}
 		return tokenGenerator;
 	}
 
+	private static <B extends HttpSecurityBuilder<B>> JwtGenerator getJwtGenerator(B builder) {
+		JwtGenerator jwtGenerator = builder.getSharedObject(JwtGenerator.class);
+		if (jwtGenerator == null) {
+			JwtEncoder jwtEncoder = getJwtEncoder(builder);
+			if (jwtEncoder != null) {
+				jwtGenerator = new JwtGenerator(jwtEncoder);
+				OAuth2TokenCustomizer<JwtEncodingContext> jwtCustomizer = getJwtCustomizer(builder);
+				if (jwtCustomizer != null) {
+					jwtGenerator.setJwtCustomizer(jwtCustomizer);
+				}
+				builder.setSharedObject(JwtGenerator.class, jwtGenerator);
+			}
+		}
+		return jwtGenerator;
+	}
+
 	private static <B extends HttpSecurityBuilder<B>> JwtEncoder getJwtEncoder(B builder) {
 		JwtEncoder jwtEncoder = builder.getSharedObject(JwtEncoder.class);
 		if (jwtEncoder == null) {
 			jwtEncoder = getOptionalBean(builder, JwtEncoder.class);
 			if (jwtEncoder == null) {
 				JWKSource<SecurityContext> jwkSource = getJwkSource(builder);
-				jwtEncoder = new NimbusJwsEncoder(jwkSource);
+				if (jwkSource != null) {
+					jwtEncoder = new NimbusJwsEncoder(jwkSource);
+				}
+			}
+			if (jwtEncoder != null) {
+				builder.setSharedObject(JwtEncoder.class, jwtEncoder);
 			}
-			builder.setSharedObject(JwtEncoder.class, jwtEncoder);
 		}
 		return jwtEncoder;
 	}
@@ -124,23 +153,22 @@ static <B extends HttpSecurityBuilder<B>> JWKSource<SecurityContext> getJwkSourc
 		JWKSource<SecurityContext> jwkSource = builder.getSharedObject(JWKSource.class);
 		if (jwkSource == null) {
 			ResolvableType type = ResolvableType.forClassWithGenerics(JWKSource.class, SecurityContext.class);
-			jwkSource = getBean(builder, type);
-			builder.setSharedObject(JWKSource.class, jwkSource);
+			jwkSource = getOptionalBean(builder, type);
+			if (jwkSource != null) {
+				builder.setSharedObject(JWKSource.class, jwkSource);
+			}
 		}
 		return jwkSource;
 	}
 
-	@SuppressWarnings("unchecked")
 	private static <B extends HttpSecurityBuilder<B>> OAuth2TokenCustomizer<JwtEncodingContext> getJwtCustomizer(B builder) {
-		OAuth2TokenCustomizer<JwtEncodingContext> jwtCustomizer = builder.getSharedObject(OAuth2TokenCustomizer.class);
-		if (jwtCustomizer == null) {
-			ResolvableType type = ResolvableType.forClassWithGenerics(OAuth2TokenCustomizer.class, JwtEncodingContext.class);
-			jwtCustomizer = getOptionalBean(builder, type);
-			if (jwtCustomizer != null) {
-				builder.setSharedObject(OAuth2TokenCustomizer.class, jwtCustomizer);
-			}
-		}
-		return jwtCustomizer;
+		ResolvableType type = ResolvableType.forClassWithGenerics(OAuth2TokenCustomizer.class, JwtEncodingContext.class);
+		return getOptionalBean(builder, type);
+	}
+
+	private static <B extends HttpSecurityBuilder<B>> OAuth2TokenCustomizer<OAuth2TokenClaimsContext> getAccessTokenCustomizer(B builder) {
+		ResolvableType type = ResolvableType.forClassWithGenerics(OAuth2TokenCustomizer.class, OAuth2TokenClaimsContext.class);
+		return getOptionalBean(builder, type);
 	}
 
 	static <B extends HttpSecurityBuilder<B>> ProviderSettings getProviderSettings(B builder) {

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/core/OAuth2TokenClaimAccessor.java

@@ -0,0 +1,98 @@
+/*
+ * Copyright 2020-2022 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.oauth2.core;
+
+import java.net.URL;
+import java.time.Instant;
+import java.util.List;
+
+/**
+ * A {@link ClaimAccessor} for the "claims" that may be contained in an {@link OAuth2TokenClaimsSet}.
+ *
+ * @author Joe Grandja
+ * @since 0.2.3
+ * @see ClaimAccessor
+ * @see OAuth2TokenClaimNames
+ * @see OAuth2TokenClaimsSet
+ */
+public interface OAuth2TokenClaimAccessor extends ClaimAccessor {
+
+	/**
+	 * Returns the Issuer {@code (iss)} claim which identifies the principal that issued the OAuth 2.0 Token.
+	 *
+	 * @return the Issuer identifier
+	 */
+	default URL getIssuer() {
+		return getClaimAsURL(OAuth2TokenClaimNames.ISS);
+	}
+
+	/**
+	 * Returns the Subject {@code (sub)} claim which identifies the principal that is the subject of the OAuth 2.0 Token.
+	 *
+	 * @return the Subject identifier
+	 */
+	default String getSubject() {
+		return getClaimAsString(OAuth2TokenClaimNames.SUB);
+	}
+
+	/**
+	 * Returns the Audience {@code (aud)} claim which identifies the recipient(s) that the OAuth 2.0 Token is intended for.
+	 *
+	 * @return the Audience(s) that this OAuth 2.0 Token is intended for
+	 */
+	default List<String> getAudience() {
+		return getClaimAsStringList(OAuth2TokenClaimNames.AUD);
+	}
+
+	/**
+	 * Returns the Expiration time {@code (exp)} claim which identifies the expiration time on or after
+	 * which the OAuth 2.0 Token MUST NOT be accepted for processing.
+	 *
+	 * @return the Expiration time on or after which the OAuth 2.0 Token MUST NOT be accepted for processing
+	 */
+	default Instant getExpiresAt() {
+		return getClaimAsInstant(OAuth2TokenClaimNames.EXP);
+	}
+
+	/**
+	 * Returns the Not Before {@code (nbf)} claim which identifies the time before
+	 * which the OAuth 2.0 Token MUST NOT be accepted for processing.
+	 *
+	 * @return the Not Before time before which the OAuth 2.0 Token MUST NOT be accepted for processing
+	 */
+	default Instant getNotBefore() {
+		return getClaimAsInstant(OAuth2TokenClaimNames.NBF);
+	}
+
+	/**
+	 * Returns the Issued at {@code (iat)} claim which identifies the time at which the OAuth 2.0 Token was issued.
+	 *
+	 * @return the Issued at claim which identifies the time at which the OAuth 2.0 Token was issued
+	 */
+	default Instant getIssuedAt() {
+		return getClaimAsInstant(OAuth2TokenClaimNames.IAT);
+	}
+
+	/**
+	 * Returns the ID {@code (jti)} claim which provides a unique identifier for the OAuth 2.0 Token.
+	 *
+	 * @return the ID claim which provides a unique identifier for the OAuth 2.0 Token
+	 */
+	default String getId() {
+		return getClaimAsString(OAuth2TokenClaimNames.JTI);
+	}
+
+}

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/core/OAuth2TokenClaimNames.java

@@ -0,0 +1,67 @@
+/*
+ * Copyright 2020-2022 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.oauth2.core;
+
+/**
+ * The names of the "claims" that may be contained in an {@link OAuth2TokenClaimsSet}
+ * and are associated to an {@link OAuth2Token}.
+ *
+ * @author Joe Grandja
+ * @since 0.2.3
+ * @see OAuth2TokenClaimAccessor
+ * @see OAuth2TokenClaimsSet
+ * @see OAuth2Token
+ */
+public interface OAuth2TokenClaimNames {
+
+	/**
+	 * {@code iss} - the Issuer claim identifies the principal that issued the OAuth 2.0 Token
+	 */
+	String ISS = "iss";
+
+	/**
+	 * {@code sub} - the Subject claim identifies the principal that is the subject of the OAuth 2.0 Token
+	 */
+	String SUB = "sub";
+
+	/**
+	 * {@code aud} - the Audience claim identifies the recipient(s) that the OAuth 2.0 Token is intended for
+	 */
+	String AUD = "aud";
+
+	/**
+	 * {@code exp} - the Expiration time claim identifies the expiration time on or after
+	 * which the OAuth 2.0 Token MUST NOT be accepted for processing
+	 */
+	String EXP = "exp";
+
+	/**
+	 * {@code nbf} - the Not Before claim identifies the time before which the OAuth 2.0 Token
+	 * MUST NOT be accepted for processing
+	 */
+	String NBF = "nbf";
+
+	/**
+	 * {@code iat} - The Issued at claim identifies the time at which the OAuth 2.0 Token was issued
+	 */
+	String IAT = "iat";
+
+	/**
+	 * {@code jti} - The ID claim provides a unique identifier for the OAuth 2.0 Token
+	 */
+	String JTI = "jti";
+
+}