PR changes, round 1

Author: Steve Riesenberg

oauth2-authorization-server/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OidcConfigurer.java

@@ -36,6 +36,7 @@
  * @since 0.2.0
  * @see OAuth2AuthorizationServerConfigurer#oidc
  * @see OidcClientRegistrationEndpointConfigurer
+ * @see OidcUserInfoEndpointConfigurer
  * @see OidcProviderConfigurationEndpointFilter
  */
 public final class OidcConfigurer extends AbstractOAuth2Configurer {
@@ -66,7 +67,7 @@ public OidcConfigurer clientRegistrationEndpoint(Customizer<OidcClientRegistrati
 	}
 
 	/**
-	 * Configures the OAuth 2.0 Protected Resource UserInfo Endpoint.
+	 * Configures the OpenID Connect 1.0 UserInfo Endpoint.
 	 *
 	 * @param userInfoEndpointCustomizer the {@link Customizer} providing access to the {@link OidcUserInfoEndpointConfigurer}
 	 * @return the {@link OidcConfigurer} for further configuration

oauth2-authorization-server/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OidcUserInfoEndpointConfigurer.java

@@ -21,18 +21,23 @@
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.config.annotation.ObjectPostProcessor;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
+import org.springframework.security.oauth2.core.OAuth2AccessToken;
+import org.springframework.security.oauth2.core.OAuth2Token;
 import org.springframework.security.oauth2.core.authentication.OAuth2AuthenticationContext;
+import org.springframework.security.oauth2.core.oidc.OidcIdToken;
 import org.springframework.security.oauth2.core.oidc.OidcUserInfo;
+import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
 import org.springframework.security.oauth2.server.authorization.config.ProviderSettings;
 import org.springframework.security.oauth2.server.authorization.oidc.authentication.OidcUserInfoAuthenticationProvider;
+import org.springframework.security.oauth2.server.authorization.oidc.authentication.OidcUserInfoAuthenticationToken;
 import org.springframework.security.oauth2.server.authorization.oidc.web.OidcUserInfoEndpointFilter;
 import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 import org.springframework.security.web.util.matcher.OrRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 
 /**
- * Configurer for OAuth 2.0 Protected Resource UserInfo Endpoint.
+ * Configurer for OpenID Connect 1.0 UserInfo Endpoint.
  *
  * @author Steve Riesenberg
  * @since 0.2.1
@@ -54,6 +59,15 @@ public final class OidcUserInfoEndpointConfigurer extends AbstractOAuth2Configur
 	 * Sets the {@link Function} used to extract claims from an {@link OAuth2AuthenticationContext}
 	 * to an instance of {@link OidcUserInfo}.
 	 *
+	 * <p>
+	 * The {@link OAuth2AuthenticationContext} gives the mapper access to the {@link OidcUserInfoAuthenticationToken}.
+	 * In addition, the following context attributes are supported:
+	 * <ul>
+	 * <li>{@code OAuth2Token.class} - The {@link OAuth2Token} containing the bearer token used to make the request.</li>
+	 * <li>{@code OAuth2Authorization.class} - The {@link OAuth2Authorization} containing the {@link OidcIdToken} and
+	 * {@link OAuth2AccessToken} associated with the bearer token used to make the request.</li>
+	 * </ul>
+	 *
 	 * @param userInfoMapper the {@link Function} used to extract claims from an {@link OAuth2AuthenticationContext} to an instance of {@link OidcUserInfo}
 	 * @return the {@link OidcUserInfoEndpointConfigurer} for further configuration
 	 */
@@ -74,7 +88,7 @@ <B extends HttpSecurityBuilder<B>> void init(B builder) {
 				new OidcUserInfoAuthenticationProvider(
 						OAuth2ConfigurerUtils.getAuthorizationService(builder));
 		if (this.userInfoMapper != null) {
-			oidcUserInfoAuthenticationProvider.setUserInfoMapper(userInfoMapper);
+			oidcUserInfoAuthenticationProvider.setUserInfoMapper(this.userInfoMapper);
 		}
 		builder.authenticationProvider(postProcess(oidcUserInfoAuthenticationProvider));
 	}

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/core/oidc/http/converter/OidcUserInfoHttpMessageConverter.java

@@ -15,6 +15,7 @@
  */
 package org.springframework.security.oauth2.core.oidc.http.converter;
 
+import java.time.Instant;
 import java.util.HashMap;
 import java.util.Map;
 
@@ -36,7 +37,7 @@
 import org.springframework.util.Assert;
 
 /**
- * A {@link HttpMessageConverter} for an {@link OidcUserInfo OAuth 2.0 Protected Resource UserInfo Response}.
+ * A {@link HttpMessageConverter} for an {@link OidcUserInfo OpenID Connect UserInfo Request and Response}.
  *
  * @author Ido Salomon
  * @author Steve Riesenberg
@@ -52,7 +53,7 @@ public class OidcUserInfoHttpMessageConverter extends AbstractHttpMessageConvert
 	private final GenericHttpMessageConverter<Object> jsonMessageConverter =
 			HttpMessageConverters.getJsonMessageConverter();
 
-	private Converter<Map<String, Object>, OidcUserInfo> userInfoConverter = new OidcUserInfoConverter();
+	private Converter<Map<String, Object>, OidcUserInfo> userInfoConverter = new MapOidcUserInfoConverter();
 	private Converter<OidcUserInfo, Map<String, Object>> userInfoParametersConverter = OidcUserInfo::getClaims;
 
 	public OidcUserInfoHttpMessageConverter() {
@@ -92,7 +93,7 @@ protected void writeInternal(OidcUserInfo oidcUserInfo, HttpOutputMessage output
 			);
 		} catch (Exception ex) {
 			throw new HttpMessageNotWritableException(
-					"An error occurred writing the OAuth 2.0 Protected Resource UserInfo response: " + ex.getMessage(), ex);
+					"An error occurred writing the UserInfo response: " + ex.getMessage(), ex);
 		}
 	}
 
@@ -117,21 +118,24 @@ public final void setUserInfoConverter(Converter<Map<String, Object>, OidcUserIn
 	 */
 	public final void setUserInfoParametersConverter(
 			Converter<OidcUserInfo, Map<String, Object>> userInfoParametersConverter) {
-		Assert.notNull(userInfoParametersConverter, "oidcUserInfoParametersConverter cannot be null");
+		Assert.notNull(userInfoParametersConverter, "userInfoParametersConverter cannot be null");
 		this.userInfoParametersConverter = userInfoParametersConverter;
 	}
 
-	private static final class OidcUserInfoConverter implements Converter<Map<String, Object>, OidcUserInfo> {
+	private static final class MapOidcUserInfoConverter implements Converter<Map<String, Object>, OidcUserInfo> {
+
 		private static final ClaimConversionService CLAIM_CONVERSION_SERVICE = ClaimConversionService.getSharedInstance();
 		private static final TypeDescriptor OBJECT_TYPE_DESCRIPTOR = TypeDescriptor.valueOf(Object.class);
 		private static final TypeDescriptor BOOLEAN_TYPE_DESCRIPTOR = TypeDescriptor.valueOf(Boolean.class);
 		private static final TypeDescriptor STRING_TYPE_DESCRIPTOR = TypeDescriptor.valueOf(String.class);
+		private static final TypeDescriptor INSTANT_TYPE_DESCRIPTOR = TypeDescriptor.valueOf(Instant.class);
 		private static final TypeDescriptor STRING_OBJECT_MAP_DESCRIPTOR = TypeDescriptor.map(Map.class, STRING_TYPE_DESCRIPTOR, OBJECT_TYPE_DESCRIPTOR);
 		private final ClaimTypeConverter claimTypeConverter;
 
-		private OidcUserInfoConverter() {
-			Converter<Object, ?> stringConverter = getConverter(STRING_TYPE_DESCRIPTOR);
+		private MapOidcUserInfoConverter() {
 			Converter<Object, ?> booleanConverter = getConverter(BOOLEAN_TYPE_DESCRIPTOR);
+			Converter<Object, ?> stringConverter = getConverter(STRING_TYPE_DESCRIPTOR);
+			Converter<Object, ?> instantConverter = getConverter(INSTANT_TYPE_DESCRIPTOR);
 			Converter<Object, ?> mapConverter = getConverter(STRING_OBJECT_MAP_DESCRIPTOR);
 
 			Map<String, Converter<Object, ?>> claimConverters = new HashMap<>();
@@ -154,7 +158,7 @@ private OidcUserInfoConverter() {
 			claimConverters.put(StandardClaimNames.PHONE_NUMBER, stringConverter);
 			claimConverters.put(StandardClaimNames.PHONE_NUMBER_VERIFIED, booleanConverter);
 			claimConverters.put(StandardClaimNames.ADDRESS, mapConverter);
-			claimConverters.put(StandardClaimNames.UPDATED_AT, stringConverter);
+			claimConverters.put(StandardClaimNames.UPDATED_AT, instantConverter);
 
 			this.claimTypeConverter = new ClaimTypeConverter(claimConverters);
 		}

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/ConfigurationSettingNames.java

@@ -95,7 +95,7 @@ public static final class Provider {
 		public static final String OIDC_CLIENT_REGISTRATION_ENDPOINT = PROVIDER_SETTINGS_NAMESPACE.concat("oidc-client-registration-endpoint");
 
 		/**
-		 * Set the Provider's OAuth 2.0 Protected Resource UserInfo endpoint.
+		 * Set the Provider's OpenID Connect 1.0 UserInfo endpoint.
 		 */
 		public static final String OIDC_USER_INFO_ENDPOINT = PROVIDER_SETTINGS_NAMESPACE.concat("oidc-user-info-endpoint");
 

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/ProviderSettings.java

@@ -98,7 +98,7 @@ public String getOidcClientRegistrationEndpoint() {
 	}
 
 	/**
-	 * Returns the Provider's OAuth 2.0 Protected Resource UserInfo endpoint. The default is {@code /userinfo}.
+	 * Returns the Provider's OpenID Connect 1.0 UserInfo endpoint. The default is {@code /userinfo}.
 	 *
 	 * @return the OpenID Connect 1.0 User Info endpoint
 	 */
@@ -213,7 +213,7 @@ public Builder oidcClientRegistrationEndpoint(String oidcClientRegistrationEndpo
 		}
 
 		/**
-		 * Sets the Provider's OAuth 2.0 Protected Resource UserInfo endpoint.
+		 * Sets the Provider's OpenID Connect 1.0 UserInfo endpoint.
 		 *
 		 * @param oidcUserInfoEndpoint the OpenID Connect 1.0 User Info endpoint
 		 * @return the {@link Builder} for further configuration

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/oidc/authentication/OidcUserInfoAuthenticationProvider.java

@@ -29,6 +29,7 @@
 import org.springframework.security.oauth2.core.OAuth2AccessToken;
 import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
 import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
+import org.springframework.security.oauth2.core.OAuth2Token;
 import org.springframework.security.oauth2.core.OAuth2TokenType;
 import org.springframework.security.oauth2.core.authentication.OAuth2AuthenticationContext;
 import org.springframework.security.oauth2.core.oidc.OidcIdToken;
@@ -41,7 +42,7 @@
 import org.springframework.util.Assert;
 
 /**
- * An {@link AuthenticationProvider} implementation for OAuth 2.0 Protected Resource UserInfo.
+ * An {@link AuthenticationProvider} implementation for OpenID Connect 1.0 UserInfo Endpoint.
  *
  * @author Steve Riesenberg
  * @since 0.2.1
@@ -52,7 +53,7 @@ public final class OidcUserInfoAuthenticationProvider implements AuthenticationP
 
 	private final OAuth2AuthorizationService authorizationService;
 
-	private Function<OAuth2AuthenticationContext, OidcUserInfo> userInfoMapper = new OidcUserInfoClaimsMapper();
+	private Function<OAuth2AuthenticationContext, OidcUserInfo> userInfoMapper = new DefaultOidcUserInfoMapper();
 
 	/**
 	 * Constructs an {@code OidcUserInfoAuthenticationProvider} using the provided parameters.
@@ -69,7 +70,6 @@ public Authentication authenticate(Authentication authentication) throws Authent
 		OidcUserInfoAuthenticationToken userInfoAuthentication =
 				(OidcUserInfoAuthenticationToken) authentication;
 
-		// Validate the "initial" access token
 		AbstractOAuth2TokenAuthenticationToken<?> accessTokenAuthentication = null;
 		if (AbstractOAuth2TokenAuthenticationToken.class.isAssignableFrom(userInfoAuthentication.getPrincipal().getClass())) {
 			accessTokenAuthentication = (AbstractOAuth2TokenAuthenticationToken<?>) userInfoAuthentication.getPrincipal();
@@ -91,7 +91,7 @@ public Authentication authenticate(Authentication authentication) throws Authent
 			throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_TOKEN);
 		}
 
-		if (!isAuthorized(authorizedAccessToken)) {
+		if (!authorizedAccessToken.getToken().getScopes().contains(OidcScopes.OPENID)) {
 			throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INSUFFICIENT_SCOPE);
 		}
 
@@ -101,9 +101,10 @@ public Authentication authenticate(Authentication authentication) throws Authent
 		}
 
 		Map<Object, Object> context = new HashMap<>();
+		context.put(OAuth2Token.class, accessTokenAuthentication.getToken());
 		context.put(OAuth2Authorization.class, authorization);
 		OAuth2AuthenticationContext authenticationContext = new OAuth2AuthenticationContext(
-				accessTokenAuthentication, context);
+				userInfoAuthentication, context);
 
 		OidcUserInfo userInfo = this.userInfoMapper.apply(authenticationContext);
 		return new OidcUserInfoAuthenticationToken(accessTokenAuthentication, userInfo);
@@ -118,18 +119,23 @@ public boolean supports(Class<?> authentication) {
 	 * Sets the {@link Function} used when mapping from an {@link OAuth2AuthenticationContext}
 	 * to an instance of {@link OidcUserInfo} for the UserInfo response.
 	 *
+	 * <p>
+	 * The {@link OAuth2AuthenticationContext} gives the mapper access to the {@link OidcUserInfoAuthenticationToken}.
+	 * In addition, the following context attributes are supported:
+	 * <ul>
+	 * <li>{@code OAuth2Token.class} - The {@link OAuth2Token} containing the bearer token used to make the request.</li>
+	 * <li>{@code OAuth2Authorization.class} - The {@link OAuth2Authorization} containing the {@link OidcIdToken} and
+	 * {@link OAuth2AccessToken} associated with the bearer token used to make the request.</li>
+	 * </ul>
+	 *
 	 * @param userInfoMapper the {@link Function} used when mapping from an {@link OAuth2AuthenticationContext}
 	 */
 	public void setUserInfoMapper(Function<OAuth2AuthenticationContext, OidcUserInfo> userInfoMapper) {
 		Assert.notNull(userInfoMapper, "userInfoMapper cannot be null");
 		this.userInfoMapper = userInfoMapper;
 	}
 
-	private static boolean isAuthorized(OAuth2Authorization.Token<OAuth2AccessToken> authorizedAccessToken) {
-		return authorizedAccessToken.getToken().getScopes().contains(OidcScopes.OPENID);
-	}
-
-	private static final class OidcUserInfoClaimsMapper implements Function<OAuth2AuthenticationContext, OidcUserInfo> {
+	private static final class DefaultOidcUserInfoMapper implements Function<OAuth2AuthenticationContext, OidcUserInfo> {
 
 		private static final List<String> EMAIL_CLAIMS = Arrays.asList(
 				StandardClaimNames.EMAIL,

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/oidc/authentication/OidcUserInfoAuthenticationToken.java

@@ -19,11 +19,12 @@
 
 import org.springframework.security.authentication.AbstractAuthenticationToken;
 import org.springframework.security.core.Authentication;
+import org.springframework.security.oauth2.core.Version;
 import org.springframework.security.oauth2.core.oidc.OidcUserInfo;
 import org.springframework.util.Assert;
 
 /**
- * An {@link Authentication} implementation used for OAuth 2.0 Protected Resource UserInfo.
+ * An {@link Authentication} implementation used for OpenID Connect 1.0 UserInfo Endpoint.
  *
  * @author Steve Riesenberg
  * @since 0.2.1
@@ -33,27 +34,34 @@
  */
 public class OidcUserInfoAuthenticationToken extends AbstractAuthenticationToken {
 
+	private static final long serialVersionUID = Version.SERIAL_VERSION_UID;
+
 	private final Authentication principal;
 	private final OidcUserInfo userInfo;
 
 	/**
 	 * Constructs an {@code OidcUserInfoAuthenticationToken} using the provided parameters.
 	 *
-	 * @param principal the authenticatedion principal
+	 * @param principal the authenticated principal
 	 */
 	public OidcUserInfoAuthenticationToken(Authentication principal) {
-		this(principal, null);
+		super(Collections.emptyList());
+		Assert.notNull(principal, "principal cannot be null");
+		this.principal = principal;
+		this.userInfo = null;
+		setAuthenticated(false);
 	}
 
 	/**
 	 * Constructs an {@code OidcUserInfoAuthenticationToken} using the provided parameters.
 	 *
-	 * @param principal the authenticatedion principal
-	 * @param userInfo The UserInfo of the id token
+	 * @param principal the authenticated principal
+	 * @param userInfo the UserInfo claims
 	 */
 	public OidcUserInfoAuthenticationToken(Authentication principal, OidcUserInfo userInfo) {
 		super(Collections.emptyList());
 		Assert.notNull(principal, "principal cannot be null");
+		Assert.notNull(userInfo, "userInfo cannot be null");
 		this.principal = principal;
 		this.userInfo = userInfo;
 		setAuthenticated(principal.isAuthenticated());
@@ -66,15 +74,15 @@ public Object getPrincipal() {
 
 	@Override
 	public Object getCredentials() {
-		return null;
+		return "";
 	}
 
 	/**
-	 * Returns the user info associated with the authorized access token.
+	 * Returns the UserInfo claims.
 	 *
-	 * @return the user info associated with the authorized access token
+	 * @return the UserInfo claims
 	 */
 	public OidcUserInfo getUserInfo() {
-		return userInfo;
+		return this.userInfo;
 	}
 }

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/oidc/web/OidcUserInfoEndpointFilter.java

@@ -44,7 +44,7 @@
 import org.springframework.web.filter.OncePerRequestFilter;
 
 /**
- * A {@code Filter} that processes OAuth 2.0 Protected Resource UserInfo requests.
+ * A {@code Filter} that processes OpenID Connect 1.0 UserInfo Requests.
  *
  * @author Ido Salomon
  * @author Steve Riesenberg
@@ -55,7 +55,7 @@
 public final class OidcUserInfoEndpointFilter extends OncePerRequestFilter {
 
 	/**
-	 * The default endpoint {@code URI} for OAuth 2.0 Protected Resource UserInfo requests.
+	 * The default endpoint {@code URI} for OpenID Connect 1.0 UserInfo Requests.
 	 */
 	private static final String DEFAULT_OIDC_USER_INFO_ENDPOINT_URI = "/userinfo";
 
@@ -80,11 +80,11 @@ public OidcUserInfoEndpointFilter(AuthenticationManager authenticationManager) {
 	 * Constructs an {@code OidcUserInfoEndpointFilter} using the provided parameters.
 	 *
 	 * @param authenticationManager the authentication manager
-	 * @param userInfoEndpointUri the endpoint {@code URI} for OAuth 2.0 Protected Resource UserInfo requests
+	 * @param userInfoEndpointUri the endpoint {@code URI} for OpenID Connect 1.0 UserInfo Requests
 	 */
 	public OidcUserInfoEndpointFilter(AuthenticationManager authenticationManager, String userInfoEndpointUri) {
 		Assert.notNull(authenticationManager, "authenticationManager cannot be null");
-		Assert.notNull(userInfoEndpointUri, "userInfoEndpointUri cannot be null");
+		Assert.hasText(userInfoEndpointUri, "userInfoEndpointUri cannot be empty");
 		this.authenticationManager = authenticationManager;
 		this.userInfoEndpointMatcher = new OrRequestMatcher(
 				new AntPathRequestMatcher(userInfoEndpointUri, HttpMethod.GET.name()),
@@ -115,7 +115,7 @@ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse
 		} catch (Exception ex) {
 			OAuth2Error error = new OAuth2Error(
 					OAuth2ErrorCodes.INVALID_REQUEST,
-					"OAuth 2.0 Protected Resource UserInfo Error: " + ex.getMessage(),
+					"OpenID Connect 1.0 UserInfo Error: " + ex.getMessage(),
 					"https://openid.net/specs/openid-connect-core-1_0.html#UserInfoError");
 			sendErrorResponse(response, error);
 		} finally {

oauth2-authorization-server/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OidcUserInfoTests.java

@@ -38,6 +38,7 @@
 import org.springframework.security.config.test.SpringTestRule;
 import org.springframework.security.oauth2.core.OAuth2AccessToken;
 import org.springframework.security.oauth2.core.oidc.OidcIdToken;
+import org.springframework.security.oauth2.core.oidc.OidcScopes;
 import org.springframework.security.oauth2.core.oidc.OidcUserInfo;
 import org.springframework.security.oauth2.core.oidc.StandardClaimNames;
 import org.springframework.security.oauth2.jose.TestJwks;
@@ -66,14 +67,14 @@
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
 /**
- * Integration tests for the OpenID User Info endpoint.
+ * Integration tests for the OpenID Connect 1.0 UserInfo endpoint.
  *
  * @author Steve Riesenberg
  */
 public class OidcUserInfoTests {
 	private static final String DEFAULT_OIDC_USER_INFO_ENDPOINT_URI = "/userinfo";
 	private static final List<String> OPENID_USER_INFO_SCOPES = Arrays.asList(
-			"openid", "address", "email", "phone", "profile"
+			OidcScopes.OPENID, OidcScopes.ADDRESS, OidcScopes.EMAIL, OidcScopes.PHONE, OidcScopes.PROFILE
 	);
 
 	@Rule

oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/core/oidc/http/converter/OidcUserInfoHttpMessageConverterTests.java

@@ -190,7 +190,7 @@ public void writeInternalWhenWriteFailsThenThrowsException() {
 
 		assertThatExceptionOfType(HttpMessageNotWritableException.class)
 				.isThrownBy(() -> this.messageConverter.writeInternal(userInfo, outputMessage))
-				.withMessageContaining("An error occurred writing the OAuth 2.0 Protected Resource UserInfo response")
+				.withMessageContaining("An error occurred writing the UserInfo response")
 				.withMessageContaining(errorMessage);
 	}